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£f) ' Proof search has been used to specify a wide range of computation systems. In order to build a framework for 

reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. 
These pro of principles are based on a proof theoretic (rather than set-theoretic) notion of definition [l9|, 
111 . 1471 125| . Definitions are akin to logic programs, where the left and right rules for defined atoms allow 
one to view theories as "closed" or defining fixed points. The use of definitions and free equality makes it 
possible to reason intentionally about syntax. We add in a consistent way rules for pre and post fixed points, 
thus allowing the user to reason inductively and co- inductively about properties of computational system 
making full use of higher-order abstract syntax. Consistency is guaranteed via cut-elimination, where we give 
the first, to our knowledge, cut-elimination procedure in the presence of general inductive and co- inductive 
definitions. 
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1. Introduction 



A common approach to specifying computation systems is via deductive systems. Those are used to 
specify and reason about various logics, as well as aspects of programming languages such as operational 
semantics, type theories, abstract machines etc. Such specifications can be represented as logical theories in a 
suitably expressive formal logic where proof-search can then be used to model the computation. A logic used 
as a specification language is known as a logical frameworks [38| , which comes equipped with a representation 
methodology The encoding of the syntax of deductive systems inside formal logic can benefit from the use of 
higher-order abstract syntax (HOAS) a high-level and declarative treatment of object-level bound variables 
and substitution. At the same time, we want to use such a logic to reason over the meta-theoretical properties 
of object languages, for example type preservation in operational semantics [26j], soundness and completeness 



of compilation 32;] or congruence of bisimulation in transition systems 27[ ■ Typic ally this involves reasoning 
by (structural) induction and, when dealing with infinite behavior, co-induction [23| . 

The need to support both inductive and co-inductive reasoning and some form of HOAS requires some 
careful design decisions, since the two are prima facie notoriously incompatible. While any meta-language 
based on a A-calculus can be used to specify and animate HOAS encodings, meta-reasoning has traditionally 
involved (co)inductive specifications both at the level of the syntax and of the judgements — which are 
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of course unified at the type-theoretic level. The first provides crucial freeness properties for datatypes 
constructors, while the second offers principles of case analysis and (co)induction. This is well-known to 
be problematic, since HOAS specifications may lead to non-monotone (co)inductive operators, which by 
cardinality and consistency reasons are not permitted in inductive logical frameworks. Moreover, even when 
HOAS is weakened so as to be made compatible with standard proof assistants [Io| such as HOL or Coq, 
the latter suffer the fate of allowing the existence of too many functions and yielding the so called exotic 
terms. Those are canonical terms in the signature of an HOAS encoding that do not correspond to any term 
in the deductive system under study. This causes a loss of adequacy in HOAS specifications, which is one of 
the pillar of formal verification, and it undermines the trust in formal derivations. On the other hand, logics 
such as LF [2(| that are weak by design in order to support this style of syntax are not directly endowed 
with (co)induction principles. 

The contribution of this paper lies in the design of a new logic, called Line - (for a logic with A-terms, 
induction and co- induction) □ which carefully adds principles of induction and co-induction to a higher-order 
intuitionistic logic based on a proof theoretic notion of definition, following on work (among others) by Lars 



Hallnas [19(, Eriksson Schroeder-Heister [47[ and McDowell and Miller [25J. Definitions are akin to 
logic programs, but allow us to view theories as "closed" or defining fixed points. This alone permits to 
perform case analysis independently from induction principles. Our approach to formalizing induction and 
co-induction is via the least and greatest solutions of the fixed point equations specified by the definitions. 
The proof rules for induction and co- induction make use of the notion of pre-fixed points and post-fixed points 
respectively. In the inductive case, this corresponds to the induction invariant, while in the co-inductive one 
to the so-called simulation. Judgements are encoded as definitions accordingly to their informal semantics, 
either inductive or co-inductive. 

The simply typed language and the notion of free equality underlying Line - , enforced via (higher-order) 
unification in an inference rule, make it possible to reason intensionally about syntax. In fact, we can support 
HOAS encodings of constants and we can prove the freeness properties of those constants, namely injectivity, 
distinctness and case exhaustion, although they cannot be the constructors of a (recursive) datatype. 



Line - can be proved to be a conservative extension of FOX A1N [25j and a generalization (with a term lan- 
guage based on simply typed A-calculus) of Martin-L6f first-order theory of iterated inductive definitions • 
Moreover, to the best of our knowledge, it is the first sequent calculus with a syntactical cut-elimination 
theorem for co-inductive definitions. In recent years, several logical systems have been designed that build 
on the core features of Line - . In particular, one interesting, and orthogonal, extension is the addition of the 
V-quantifier 31, 52, 5^, 14 1, which allows one to reason about the intentional aspects of names and bindings 
in object syntax specifications (see, e.g., [TBI, HH). The cut elimination proof presented in this paper can be 
used as a springboard towards cut elimination procedures for more expressive (conservative) extensions of 
Line - . 

In fact, the possibility of adapting the cut elimination proof for Line - to various extensions of Line - 
with V is one of the main reasons to introduce a direct syntactic cut elimination proof. We note that 
there are at least a couple of indirect methods to prove cut elimination in a logic with inductive and/or co- 
inductive definitions. The first of such methods relies on encodings of inductive and co-inductive definitions 
as second-order (or higher-order) formulae. This approach is followed in a recent work by Baelde and 
Miller [6] where a logic similar to Line - is considered. Cut elimination in their work is proved indirectly via 
an encoding into higher-order linear logic. However, in the presence of V, the existence of such an encoding 
is presently unknown. The second approach is via semantical methods. This approach is taken in a recent 
work by Brotherston and Simpson [8(, which provide a model for a classical first-order logic with inductive 
definitions, hence, cut elimination follows by the semantical completeness of the cut free fragment. It is not 
obvious how such semantical methods can be adapted to prove cut elimination for extensions of Line - with 
V. This is because the semantics of V itself is not yet very well understood, although there have been some 
recent attempts, see [29|, 46|, JjJ- 



The present paper is an extended and revised version of [33] ■ In the conference paper, the co- inductive 
rule had a technical side condition that is restrictive and unnatural. The restriction was essentially imposed 
by the particular cut elimination proof technique outlined in that paper. This restriction has been removed 



J The "minus" in the terminology refers to the lack of the V-quantifier w.r.t. the eponymous logic in Tiu's thesis [52 
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in the present version, and the (co-)induction rules have been generalized. For the latter, the formulation 
of the rules is inspired by a second-order encoding of least and greatest fixed points. Consequently, we now 
develop a new cut elimination proof, which is radically different from the previous proof, usinga reducibility- 
candidate technique, which is influenced by Girard's strong normalisation proof for System F [18j . This paper 
is concerned only with the cut elimination proof of Line - . For examples and applications of Linc~ and its 
extensions with V, we refer the interested reader to [H^, EI , ljl 54 |. 

The rest of the paper is organized as follows. Section [2] introduces the sequent calculus for the logic. 
Section [3] presents two transformations of derivations that are essential to the cut reduction rules and the 
cut elimination proof in subsequent sections. Section U is the heart of the paper: we first (Subsection 14. 1[) 
give a (sub) set of reduction rules that transform a derivation ending with a cut rule to another derivation. 
The complete set of reduction can be found in Appendix [A] We then introduce the crucial notions of 
normalizability (Subsection I4.2[) and of parametric reducibility after Girard (Subsection l4.3p . Detailed proofs 
of the main lemma related to reducibility candidates are in Appendix [Bj The central result of this paper, 
i.e., cut elimination, is proved in details in Subsection 14.41 Section [5] surveys the related work and concludes 
the paper. 



2. The Logic Line 

The logic Line - shares the core fragment of FOA AIN , which is an intuitionistic version of Church's Simple 
Theory of Types. We shall assume that the reader is familiar with Church's simply typed A-calculus (with 
both /3 and 77 rules) , so we shall recall only the basic syntax of the calculus here. A simple type is either a 
base type or a compound type formed using the function-type constructor — >. Types are ranged over by a, 
(3 and r. We assume an infinite set of typed variables, written x a , yp, etc. The syntax of A-terms is given 
by the following grammar: 

s,t ::= x T I (Xx T . t) \ (s t) 

To simplify presentation, in the following we shall often omit the type index in variables and A-abstraction. 
The notion of free and bound variables are defined as usual. 

Following Church, we distinguish a base type o to denote formulae, and we shall represent formulae as 
simply typed A-terms of type o. We assume a set of typed constants that correspond to logical connectives. 
The constants T : o and _L : o denote 'true' and 'false', respectively. Propositional binary connectives, i.e., A, 
V, and D, are assigned the type o — > o — > o. Quantifiers are represented by indexed families of constants: Vi- 
and 3 T , both are of type (r — > o) — >• o. We also assume a family of typed equality symbols = T : r — » r — >• o. 
Although we adopt a representation of formulae as A-terms, we shall use a more traditional notation when 
writing down formulae. For example, instead of writing (A A B), we shall use an infix notation (A A B). 
Similarly, we shall write \/ a x.P instead of V Q (Xx a .P). Again, we shall omit the type annotation when it 
can be inferred from the context of the discussion. 

The type r in quantifiers and the equality predicate are restricted to those simple types that do not 
contain occurrences of o. Hence our logic is essentially first-order, since we do not allow quantification over 
predicates. As we shall often refer to this kind of restriction to types, we give the following definition: 

Definition 1. A simple type r is essentially first-order (efo) if it is generated by the following grammar: 

r ::= k \ t — >• r 

where k is a base type other than o. 

For technical reasons (for presenting (co-)inductive proof rules), we introduce a notion of parameter into 
the syntax of formulae. Intuitively, they play the role of eigenvariables ranging over the recursive call in 
a fixed point expression. More precisely, to each predicate symbol p, we associate a countably infinite set 
Vp, called the parameter set for p. Elements of V v are ranged over by X p , Y p , Z p ', etc, and have the same 
type as p. When we refer to formulae of Line - , we have in mind simply-typed A-terms of type o in j3rj-long 
normal form. Thus formulae of the logic Line - can be equivalently defined via the following grammar: 

F ::= X p t\ s = T t \ pt\ ± \ T | FAF \ F V F \ F D T \ M T x.F \ 3 T x.F. 
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B,B,T^C r— + c 

init — FT" Fi 7T~ cC "Fr~F 7^ wC 



c — c b, r — ;> c "° s, r — > c 

Ai — > i?i ••• A„ — > _B„ Si,...,B„,r — >C 



Ai,...,A„,r— 



me, where n > 



1_£ ^ = Tft 



j_,r — ► s r — > t 



BiAB 2 ,r — >D ' 1 ' J r — ^BAC 

r — > b c,r — > d b, r — > c 

- ~) £ — - ~) 7<L 

BDC,r — ► /; - " ' - 

Bt,T — > C 



Vx.Bx,T — ► c 
By,T^C 



V£ ^ rj „ Vft 



3£ * ^ „ 3ft 



r — 


>BDC 


r - 


—tBy 


r — 


-> \/x.B a; 


r - 


— > St 



3x.B x, r — > c r — > x 



Equality rules. 



{Tp — >Cp | sp =p v tp} 



s = t,r — >c H r — >t = t 



eq£ — — - eq7£ 



Induction rules. 



BSy-^Sy T,St^C ^ 

lL 7 px = Bpx 



T,pt — > C 

r ,.r" Bpx y _ A . ; ,. 



Ill,px = Bpx — ——rlK p ,px = Bpx 



Co-induction rules. 



BXPt.T^C „ BXPt,T^C 

^ CI£,px = Bpx m Cl£„,px = Bpx 

pt,T^C ,F F XPt,T^C p 

T^St Sy—>BSy 
CTJZ,px — Bpx 

r — > pt 

Figure 1: The inference rules of Line - 
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where r is an efo-type. We shall omit the type annotation in s = T t when it is not important to the discussion. 

A substitution is a type-preserving mapping from variables to terms. We assume the usual notion of 
capture-avoiding substitutions. Substitutions are ranged over by lower-case Greek letters, e.g., 9, p and 
a. Application of substitution is written in postfix notation, e.g. t6 denotes the term resulting from an 
application of substitution 9 to t. Composition of substitutions, denoted by o, is defined as t(0 op) = (tO)p. 

The whole logic is presented in the sequent calculus in Figure [TJ including rules for equality and fixed 
points, as we discuss in Section [2~T1 and [2T2l A sequent is denoted by T — > C where C is a formula in /^-long 
normal form and T is a multiset of formulae, also in f3rj-\o\\g normal form. Notice that in the presentation 
of the rule schemes, we make use of HOAS, e.g., in the application Bx it is implicit that B has no free 
occurrence of x. Similarly for the (co)induction rules. We work modulo a-conversion without further notice. 
In the V7Z and 3C rules, y is an eigenvariable that is not free in the lower sequent of the rule. The mc rule 
is a generalization of the cut rule that simplifies the presentation of the cut-elimination proof. 

Whenever we write a sequent, it is assumed implicitly that the formulae are well-typed: the type context, 
i.e., the types of the constants and the eigenvariables used in the sequent, is left implicit as well as they can 
be inferred from the type annotations of the (eigen)variables. 

In some inference rules, reading them bottom up, new eigenvariables and parameters may be introduced 
in the premises of the rules, for instance, in 3C and \/TZ, as typical in sequent calculus. However, unusually, 
we shall also allow 31Z, VX and mc to possibly introduce new eigenvariables (and new parameters, in the 
case of mc), again reading the rules bottom- up. Thus the term t in the premise of the 31Z- rule may contain 
a free occurrence of an eigenvariable not already occuring in the conclusion of the rule. The implication 
of this is that 3 T x.T is provable for any type r; in other words, there is an implicit assumption that all 
types are non-empty. Hence the quantifiers in our setting behave more classically than intuitionistically. 
The reason for this rather awkward treatment of quantifiers is merely a technical convenience. We could 
forgo the non-emptiness assumption on types by augmenting sequents with an explicit signature acting as a 
typing environment, and insisting that the term t in 31Z to be well- formed under the typing environment of 
the conclusion of the rule. However, adding explicit typing contexts into sequents introduces another layer 
of bureaucracy in the proof of cut elimination, which is not especially illuminating. And since our primary 
goal is to show the central arguments in cut elimination involving (co-)induction, we opt to present a slightly 
simplified version of the logic so that the main technical arguments (which are already quite complicated) in 
the cut elimination proof, related to (co-)induction rules, can be seen more clearly. The cut elimination proof 
presented in the paper can be adapted to a different presentation of Line - with explicit typing contexts; 
see 



52, 53] for an idea of how such an adaptation may be done. 



We extend the logical fragment with a proof theoretic notion of equality and fixed points. 
2.1. Equality 

The right introduction rule for equality is rcflcxivity, that is, it recognizes that two terms are syntactically 
equal. The left introduction rule is more interesting. The substitution p in eq£ is a unifier of s and t. Note 
that we specify the premise of eq£ as a set, with the intention that every sequent in the set is a premise of 
the rule. This set is of course infinite; every unifier of (s,t) can be extend to another one (e.g., by adding 
substitution pairs for variables not in the terms). However, in many cases, it is sufficient to consider a 
particular set of unifiers, which is often called a complete set of unifiers (CSV) 0], from which any unifier 
can be obtained by composing a member of the CSU set with a substitution. In the case where the terms 
are first-order terms, or higher-order terms with the pattern restriction [30j, the set CSU is a singleton, i.e., 
there exists a most general unifier (MGU) for the terms. 

Our rules for equality actually encompasses the notion of free equality as commonly found in logic 
programming, in the form of Clark's equality theory injectivity of function symbols, inequality between 
distinct function symbols, and the "occur-check" follow from rule eq£-rule. For instance, given a base 
type nt (for natural numbers) and the constants z : nt (zero) and s : nt — »• nt (successor), we can derive 
Vx. z — (s x) D J- as follows: 

— ? — \ ; e ^ C 

z = (s y) — > _L 

DTZ 



(s y) 3 

VIZ 



Vx. z — (s x) D -L 
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Since z and s y are not unifiable, the eq£ rule above has empty premise, thus concluding the derivation. 
A similar derivation establishes the occur-check property, e.g., Vx. x — (s x) D _L. We can also prove the 
injectivity of the successor function, i.e. VxVy.(s x) = (s y) D x = y. 

This proof theoretic notion of equality has been considered in several previous work e.g. by Schroeder- 



2.2. Induction and co-induction 

One way of adding induction and co-induction to a logic is to introduce fixed point expressions and 
their associated introduction and elimination rules, i.e. using the /j, and v operators of the (first-order) /j,- 
calculus. This is essentially what we shall follow here, but with a different notation. Instead of using a 
"nameless" notation with [i and v to express fixed points, we associate a fixed point equation with an atomic 
formula. That is, we associate certain designated predicates with a definition. This notation is clearer and 
more convenient as far as our applications are concerned. For a proof system using nameless notation for 
(co)inductive predicates, the interested reader is referred to recent work by Baelde and Miller [||. 

Definition 2. An inductive definition clause is written Vx. px = Bx, where p is a predicate constant. 
The atomic formula p x is called the head of the clause, and the formula B x, where B is a closed term 
containing no occurrences of parameters, is called the body. Similarly, a co-inductive definition clause is 
written Vx. px = B x. The symbols = and = are used simply to indicate a definition clause: they are not 
a logical connective. We shall write Vx. px = Bx to denote a definition clause generally, i.e., when we 
are not interested in the details of whether it is an inductive or a co-inductive definition. A definition is 
a finite set of definition clauses. A predicate may occur only at most once in the heads of the clauses of a 
definition. We shall restrict to non-mutually recursive definitions. That is, given two clauses Vx. px = Bx 
and Vy. qy = C y in a definition, where p ^ q, if p occurs in C then q does not occur in B, and vice versa. 

Note that the above restriction to non-mutual recursion is immaterial, since in the first-order case it is well 
known how one can easily encode mutually recursive predicates as a single predicate with an extra argument. 
The rationale behind that restriction is merely to simplify the presentation of inference rules and the cut 
elimination proof. Were we to allow mutually recursive definitions, the introduction rules 1C and CYJZ for a 
predicate p would have possibly more than two premises, depending on the number of predicates which are 
mutually dependent on p (see [8(] for a presentation of introduction rules for mutually dependent definitions). 

For technical convenience we also bundle up all the definitional clause for a given predicate in a single 
clause, following the same principles of the iff- completion in logic programming. Further, in order to simplify 
the presentation of rules that involve predicate substitutions, we denote a definition using an abstraction 
over predicates, that is 



where B is an abstraction with no free occurrence of predicate symbol p and variables x. Substitution of p 
in the body of the clause with a formula S can then be written simply as B S x. When writing definition 
clauses, we often omit the outermost universal quantifiers, with the assumption that free variables in a clause 
are universally quantified. For example even numbers are defined as follows: 



where in this case B is of the form Xpw. (w — z) V (By.w — (s (s y)) Ap y). 

The left and right rules for (co-)inductively defined atoms are given at the bottom of Figure[TJ In rules IC 
and CYJZ, the abstraction S is an invariant of the (co-)induction rule. The variables y are new eigenvariables 
and X p is a new parameter not already occuring in the lower sequent. For the induction rule IC, S denotes 
a pre-fixed point of the underlying fixed point operator. Similarly, for the co-induction rule CYJZ, S can be 
seen as denoting a post-fixed point of the same operator. Here, we use a characterization of induction and 
co-induction proof rules as, respectively, the least and the greatest solutions to a fixed point equation. 

Notice that the right-introduction rules for inductive predicates and parameters (dually, the left-introduction 
rules for co-inductive predicates and parameters) are slightly different from the corresponding rules in Line- 
like logics (see RemarkfTJ. These rules can be better understood by the usual interpretation of (co-)inductive 




Vx. px = Bpx 



ev x = (x = z) V (By. x = (s (s y)) A ev y) 
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definitions in second-order logic 3t| 37j (to simplify presentation, we show only the propositional case here) : 

p = Bp \/p.(BpDp)Dp 

p = B p 3p.p A (p D B p). 

Then the right-introduction rule for inductively defined predicate will involve an implicit universal quantifi- 
cation over predicates. As standard in sequent calculus, such a universal quantified predicate will be replaced 
by a new eigenvariable (in this case, a new parameter), reading the rule bottom up. Note that if we were to 
follow the above second-order interpretation literally, an alternative rule for inductive predicates could be: 

BXPdXP,T — > XP 

r > YR-,p = Bp 

Then there would be no need to add the I7?.p-rule since it would be derivable, using the clause B X p D X p 
in the left hand side of the sequent. (This, of course, is true only when such an YJZ p instance appears above 
an YJZ instance for p.) Our presentation has the advantage that it simplifies the cut-elimination arguments 
in the subsequent sections. The left-introduction rule for co-inductively defined predicate can be explained 
dually. 

A similar encoding of (co-)inductive definitions as second-order formulae is used in Q, where cut- 
elimination is indirectly proved by appealing to a focused proof system for higher-order linear logic. A 
similar approach can be followed for Line - , but we prefer to develop a direct cut-elimination proof, since 
such a proof can serve as the basis of cut-elimination for extensions of Line - , for example, with the V- 
quantifier [III, El]. 

Remark 1 (Fixed point unfolding). A commonly used form of introduction rules for definitions, or fixed 
points, uses an unfolding of the definitions. This form of rules is followed in several related logics, e.g., 
FOA AIN [2^1, Line [33ll52l ] and ^-MALL The right- introduction rule for inductive definitions, for instance, 
takes the form: 

— y m',px = Bpx 
1 — > pt 

That is, in the premise, the predicate p is replaced with the body of the definition. The logic Line, like 
FOA AIN , imposes a stratification on definitions, which amounts to a strict positivity condition: the head of 
a definition can only appear in a strictly positive position in the body, i.e., it never appears to the left of an 
implication. Let us call such a definition a stratified definition. For stratified definitions, the rule 172.' can be 
derived as follows: 



B X p x — > BXPx 



init 



BXPx — >XPx IUp XPu — >XPu l ™ 1 
p u — > X p u 



Bpt — > BXPt 

— m 



Y — >Bpt Bpt — >pt 

L — >pt 

where the 'dots' are a derivation composed using left and right introduction rules for logical connectives in 
B. Notice that all leaves of the form pu — > X p u can be proved by using the IC rule, with X p as the 
inductive invariant. Conversely, given a stratified definition, any proof in Line - using that definition can be 
transformed into a proof of Line simply by replacing X p with p. Note that once YJZ' is shown admissible, 
one can also prove admissibility of unfolding of inductive definitions on the left of a sequent; see [H2} for a 
proof. 

Since a defined atomic formula can be unfolded via its introduction rules, the notion of size of a formula 
as simply the number of connectives in it would not take into account this possible unfolding. We shall define 
a more general notion assigning a positive integer to each predicate symbol, which we refer to as its level. A 
similar notion of level of a predicate was introduced for FOX AJN |25[. However, in FOA A1N , the level of a 
predicate is only used to guarantee monotonicity of definitions. 
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Definition 3 (Size of formulae). To each predicate p we associate a natural number lvl(p), the level of 
p. Given a formula B, its size \B\ is defined as follows: 

1. \X*> t\ = 1, for any X p and any t 

2. H = lvh». 

3. |_L| = |T| = |( a = t)|=l. 

4. |B A C| = \B V C| = |B D C\ = \B\ + \C\ + 1. 

5. |V:c. Bx\ = \3x. Bx\ = \Bx\ + 1. 

Note that in this definition, we do not specify precisely any particular level assignment to predicates. 
We show next that there is a level assignment that has a property that will be useful later in proving cut 
elimination. 

Lemma 1 (Level assignment). Given any definition T>, there is a level assignment to every predicate p 
occuring in T> such that ifVx.px = Bpx is inT>, then \px\ > \B X p x\ for every parameter X p £ V p . 

Proof. Let -< be a binary relation on predicate symbols defined as follows: q -< p iff q occurs in the body of 
the definition clause for p. Let -<* be the reflexive-transitive closure of -<. Since we restrict to non- mutually 
recursive definitions and there are only finitely many definition clauses (Definition [2]), it follows that -<* is 
a well-founded partial order. We now compute a level assignment to predicate symbols by induction on -<*. 
This is simply done by letting lvl(p) = 1, if p is undefined, and lvl(p) = \B X p x\ + 1, for some parameter 
X p , if \/x. px = Bpx. Note that in the latter case, by induction hypothesis, every predicate symbol q, other 
than p, in B has already been assigned a level, so \B X p x\ is already defined at this stage. Note also that it 
docs not matter which X p we choose since all parameters have the same size. □ 

We shall assume from now on that predicates are assigned levels satisfying the condition of Lemma [TJ 
so whenever we have a definition clause of the form ^x.px = Bpx, we shall implicitly assume that \px\ > 
B X p x\ for every parameter X p £ V p . 

Remark 2 (Non-monotonicity) . In FOX AJN , a notion of stratification is used to rule out non-monotone 
(or in Halnas' terminology partial fl9| ) definitions, such as, p = p D T, for which cut-elimination is problem- 
atic, d In fact, from the above definition both p and pDl are provable, but there is no direct proof of _L. 
This can be traced back to the fact that unfolding of definitions in Line and FOX A1N is allowed on both the 
left and the right hand side of sequent. In Line - , inconsistency does not arise even allowing a non-monotone 
definition as above, due to the fact that arbitrary unfolding of fixed points is not permitted. Instead, only 
a limited form of unfolding is allowed, i.e., in the form of unfolding of inductive parameters on the right, 
and co-inductive parameters on the left. As a consequence of this restrictive unfolding, in Line - one cannot 
reason about some well-founded inductive definitions which are not stratified. For example, consider the 
non-stratified definition: 

Vx. ev x = (x = z) V (3y.x = (s y) A (ev y D _L)) 

If this definition were to be interpreted as a logic program (with negation- as-failure), for example, then 
its least fixed point is exactly the set of even natural numbers. However, the above encoding in Line - is 
incomplete with respect to this interpretation, since not all even natural numbers can be derived using the 
above definition. For example, it is easy to see that ev (s (s z)) is not derivable, since this would require a 
derivation of X ev (s z) — > _L, for some inductive parameter X ev , which is impossible because no unfolding 
of inductive parameter is allowed on the left of a sequent. The same idea prevents the derivability of — > p 
given the definition p = pDl. So while inconsistency in the presence of non-monotone definitions is avoided 
in Line - , its reasoning power does not extend that of Line significantly. 



3 Other ways beyond stratification of recovering cut-elimination are disallowing contraction or restricting to an init rule for 
undefined atoms. 



8 



3. Eigenvariables and parameters instantiations 



We now discuss some properties of derivations in Line - which involve instantiations of eigenvariables and 
parameters. These properties will be used in the cut-elimination proof in subsequent sections. 
Before we proceed, it will be useful to introduce the following derived rule in Line - : 

{T9 — > C9} 6 

— p ■ q — subst. 



This rule is just a 'macro' for the following derivation: 

f—^c mc 

where t is some arbitrary term. The motivation behind the rule subst is purely technical; it allows us to 
prove that a derivation transformation (i.e., substitutions of eigenvariables in derivations in Section 13. ip 
commutes with cut reduction (see Lemma [5]). Since the rule subst hides a simple form of cut, to prove 
cut-elimination of Line - , we have to show that subst, in addition to mc, is admissible. In the following, e 
denotes the identity substitution, i.e., e(x) = x for every variable x. 

Lemma 2 (sw&si-elimination). For every T and C, if the sequent T — > C is (cut-free) derivable in Line - 
with subst then it is (cut-free) derivable in Line - without subst. 

Proof. Given a derivation IT of T — > C with occurrences of subst, obtain a subst-hee derivation by simply 
replacing any subderivation in IT of the form: 

r n° \ 

I A6> — > BO )e , 
^ -q subst 



with its premise IT. □ 
Following (25j . we define a measure which corresponds to the height of a derivation: 

Definition 4. Given a derivation IT with premise derivations {11,}^/, for some index set /, the measure 
ht(IT) is the least upper bound lub({ht(IIj)}j S I) + 1. 

Note that given the possible infinite branching of eq£ rule, these measures can in general be (countable) 
ordinals. Therefore proofs and definitions on those measures require transfinite induction and recursion. 
However, in most of the proofs to follow, we do case analysis on the last rule of a derivation. In such a 
situation, the inductive cases for both successor and limit ordinals are basically covered by the case analysis 
on the inference figures involved, and we shall not make explicit use of transfinite principles. 

With respect to the use of eigenvariables and parameters in a derivation, there may be occurrences of 
the formers that are not free in the end sequent. We refer to these variables and parameters as the internal 
variables and parameters, respectively. We view the choices of those variables and parameters as arbitrary 
and therefore identify derivations which differ on the choice of internal variables and parameters. In other 
terms, we quotient derivations modulo injective renaming of internal eigenvariables and parameters. 

3.1. Instantiating eigenvariables 

The following definition extends eigenvariable substitutions to apply to derivations. Since we identify 
derivations that differ only in the choice of internal eigenvariables, we will assume that such variables are 
chosen to be distinct from the variables in the domain of the substitution and from the free variables of the 
range of the substitution. Thus applying a substitution to a derivation will only affect the variables free in 
the end-sequent. 

Definition 5. If II is a derivation of T — Y C and 9 is a substitution, then we define the derivation HO of 
TO — > CO as follows: 
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1. Suppose II ends with the eq£ rule 

IF 

T'p — > Cp 



p eqC 



s = t,T' — >• C 

where each p satisfies sp —fit) tp. Observe that any unifier for the pair (s9,t9) can be transformed to 
another unifier for (s,t), by composing the unifier with 9. Thus U9 is 



eq£ 



T'9p' — -> C9 P ' 
s9 = tO, T'9 — C9 

where s9p' tOp' . 

2. If II ends with subst with premise derivations {n p } p then U9 also ends with the same rule and has 
premise derivations {Ii 0op } p >. 

3. If II ends with any other rule and has premise derivations EEx, • • • , n„, then 110 also ends with the same 
rule and has premise derivations U\9, . . . , U n 9. 

Among the premises of the inference rules of Line" (with the exception of CL1Z) , certain premises share the 
same right-hand side formula with the sequent in the conclusion. We refer to such premises as major premises. 
This notion of major premise will be useful in proving cut-elimination, as certain proof transformations 
involve only major premises. 

Definition 6. Given an inference rule R with one or more premise sequents, we define its major premise 
sequents as follows. 

1. If R is either D C,mc or I£, then its rightmost premise is the major premise 

2. If R is CTR, then its left premise is the major premise. 

3. Otherwise, all the premises of R are major premises. 

A minor premise of a rule R is a premise of R which is not a major premise. The definition extends to 
derivations by replacing premise sequents with premise derivations. 

The proofs of the following two lemma are straightforward from Definition [5] and induction on the height 
of derivations. 

Lemma 3. For any substitution 9 and derivation UofT — > C , U9 is a derivation ofT9 — > C9. 
Lemma 4. For any derivation II and substitution 9, ht(II) > ht(n#). 

Lemma 5. For any derivation II and substitutions 9 and p, the derivations (rh9)p and Ii(9 op) are the same 
derivation. 

3.2. Instantiating parameters 

Definition 7. A parameter substitution O is a partial map from parameters to pairs of proofs and closed 
terms such that whenever 

e(xp) - (n s ,s) 

then S has the same type as p and either one of the following holds: 

• px = B px, for some B and x, and II5 is a derivation of B S x — > S x, or 

• px = B px, for some B and x, and lis is a derivation of S x — > B S x. 
The support of O is the set 

supp(Q) = {X p I Q(X p ) is defined}. 

We consider only parameter substitutions with finite support. 

We say that X p is fresh for O, written X p #0, if for each Y q e supp(Q), X p ^ Y q and X p does not 
occur in S whenever Q(Y q ) — (Us, S). 



10 



We shall often enumerate a parameter substitution using a similar notation to (eigenvariables) substitu- 
tion, e.g., 

[(U 1 ,S 1 )/XP\...,(U n ,S n )/XP"} 

denotes a parameter substitution 9 with support {X Pl , . . . , X Pn } and <d(X Pi ) = (Hi, Si). 

Given a formula C and a parameter substitution 9 as above, we write C9 to denote the formula 

C[S 1 /X p \...,S n /X p "}. 

Definition 8. Let IT be a derivation of T — > C and let 9 be a parameter substitution. Define the derivation 
LTO of TO — > 9 by induction on the height of II as follows: 

• Suppose C — X p t for some X p such that <d(X p ) = (Us, S) and II ends with YIZ p , as shown below left. 
Then LT9 is as shown below right. 

IT IT 9 H-s[t/x\ 

r — >Bx p t m re — >BSt Bst — >st^„ 



r — > x p t r9 — >st 



Similarly, suppose II ends with CIC P on X p t and X p S supp(<d): 



CIC P 



W 

B X p t, V — >C 
X p t, F — > c 

where p x = B p x and 9 (XP) = (U s , S) . Then 119 is 

init U ^ 

St — >St St — vBSt n'9 
mc 11 ^ 

st — >Bst Bst,re — >ce 

st,v'Q — > ce 



mc 



• In all other cases, suppose II ends with a rule R with premise derivations {11^}^/ for some index set 
/. Since we identify derivations up to renaming of internal parameters, we assume without loss of 
generality that the internal eigenvariables in the premises of R (if any) do not appear in 9. Then 119 
ends with the same rule, with premise derivations {IT9}ie/. 

Remark 3. Notice that the definition of application of parameter substitution in derivations in Definition [7] 
is asymmetric in the treatment of inductive and co-inductive parameters, i.e., in the cases where II ends with 
YIZp and CIC p . In the latter case, the substituted derivation uses a seemingly unnecessary cut 

init H ^>1 



St^St St— + BSt mc 

St ^ BSt 

The reason behind this is rather technical; in our main cut elimination proof, we need to establish that 
Hs[t/x] is "reducible" (i.e., all the cuts in it can be eventually eliminated), given that the above cut is 
reducible. In a typical cut elimination procedure, say Gentzen's proof for LK, one would have expected that 
the above cut reduces to ILs[t/x\, hence reducibility of II5 would follow from reducibility of the above cut. 
However, according to our cut reduction rules (see Section |4~T]) . the above cut does not necessarily reduce 
to Tlg[t/x\. However, if the instance of init appears instead on the right premise of the cut, e.g., as in 

n s [t/M\ 



_ — ^ init 

BSt—+St St^St mc 

BSt^ St 
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the cut elimination procedure does reduce this to Hs[t/x], so it is not necessary to introduce explicitly 
this cut instance in the case involving inductive parameters. It is possible to define a symmetric notion 
of parameter substitution, but that would require different cut reduction rules than the ones we proposed 
in this paper. Another possibility would be to push the asymmetry to the definition of reducibility (see 
Section 2]). We have explored these alternative options, but for the purpose of proving cut elimination, we 
found that the current definition yields a simpler proof|f| 

The following lemma states that the derivation 110 is well- formed. 

Lemma 6. Let be a parameter substitution and H a derivation ofT — > C. Then 110 is a derivation of 

Note that since parameter substitutions replace parameters with closed terms, they commute with (eigen- 
variable) substitutions. 

Lemma 7. For every derivation H, substitution d, parameter substitution 0, the derivation (HO)5 is the 
same as the derivation (11(5)0. 

In the following, we denote with [0, (lis, S)/X p ], where A p #0, a parameter substitution obtained by 
extending with the map X p H> (Us, S). 

Lemma 8. Let H be a derivation of T — > C, a parameter substitution and X p a parameter such that 
X p ^ supp(Q) and X p does not occur in T — > C . Then II[0, (lis, S)/X p ] = 110 for every lis o-nd S . 

4. Cut elimination for Line - 

The central result of our work is cut-elimination, from which consistency of the logic follows. Gentzen's 
classic proof of cut-elimination for first-order logic uses an induction on the size of the cut formula. The 
cut-elimination procedure consists of a set of reduction rules that reduces a cut of a compound formula to 
cuts on its sub-formulae of smaller size. In the case of Line - , the use of induction/co-induction complicates 
the reduction of cuts. Consider for example a cut involving the induction rules: 

IT n B n 

A^BX p t m BSy^Sy St,T-+C 

A — > P t P t,r — >c 

mc 



A,r — > c 

There are at least two problems in reducing this cut. First, any permutation upwards of the cut will 
necessarily involve a cut with S that can be of larger size than p, and hence a simple induction on the size of 
the cut formula will not work. Second, the invariant S does not appear in the conclusion of the left premise 
of the cut. The latter means that we need to transform the left premise so that its end sequent will agree 
with the right premise. Any such transformation will most likely be global, and hence simple induction on 
the height of derivations will not work either. 

We shall use the reducibility technique to prove cut elimination. More specifically, we shall build on 
the notion of reducibility introduced by Martin-L6f to prove normalization of an intuitionistic logic with 
iterative inductive definition (24[. Martin-Lof's proof has been adapted to sequent calculus by McDowell 
and Miller [25|, but in a restricted setting where only natural number induction is allowed. Since our logic 
involves arbitrary stratified inductive definitions, which also includes iterative inductive definitions, we shall 
need different, and more general, cut reductions. But the real difficulty in our case is in establishing cut 
elimination in the presence of co-inductive definitions, for which there is no known direct cut elimination 
proof (prior to our work [33[ on which this article is based on), at the best of our knowledge, as far as the 
sequent calculus is concerned. 



4 But we conjecture that in the classical case a fully symmetric definition of parameter substitution and cut reduction would 
be needed. But this is outside the scope of the current paper. 



12 



The main part of the reducibility technique is a definition of the family of reducible sets of derivations. In 
Martin-Lof's theory of iterative inductive definition, this family of sets is defined inductively by the "type" 
of the derivations they contain, i.e., the formula in the right-hand side of the end sequent in a derivation. 
Extending this definition of reducibility to Line - is not obvious. In particular, in establishing the reducibility 
of a derivation of type pt ending with a CYR. rule one must first establish the reducibility of its premise 
derivations, which may have larger types, since St could be any formula. Therefore a simple inductive 
definition based on types of derivations would not be well-founded. 

The key to properly "stratify" the definition of reducibility is to consider reducibility under parameter 
substitutions. This notion of reducibility, called parametric reducibility, was originally developed by Girard 
to prove strong normalisation of System F, i.e., in the interpretation of universal types. As with strong 
normalisation of System F, (co-) inductive parameters are substituted with some "reducibility candidates" , 
which in our case are certain sets of derivations satisfying closure conditions similar to those for System F, 
but which additionally satisfy certain closure conditions related to (co-) inductive definitions. 

The remainder of this section is structured as follows. In Section B~T1 we define a set of cut reduction rules 
that are used to elimination the applications of the cut rule. For the cases involving logical operators, the 
cut-reduction rules used to prove the cut-elimination for Line - are the same as those of FOX A1N [25] . The 
crucial differences are, of course, in the reduction rules involving induction and co-induction rules, where 
we use the transformation described in Definition [7] We then proceed to define two notions essential to 
our cut elimination proof: normalizability (Section 14. 2p and parametric reducibility (Section I4.3[) . These 
can be seen as counterparts for Martin-Lof's notions of normalizability and computability [24T ]. respectively. 
Normalizability of a derivation implies that all the cuts in it can be eventually eliminated (via the cut 
reduction rules defined earlier). Reducibility is a stronger notion, in that it implies normalizability. The 
main part of the cut elimination proof is presented in Section 14.41 where we show that every derivation is 
reducible, hence it can be turned into a cut-free derivation. 

4-1- Cut reduction 

We now define a reduction relation on derivations ending with mc. This reduction relation is an extension 
of the similar cut reduction relation used in McDowell and Miller's cut elimination proof 25]. In particular, 
the reduction rules involving introduction rules for logical connectives are the same. The main differences 
are, of course, in the reduction rules involving induction and co-induction rules. There is also slight difference 
in one reduction rule involving equality, which in our case utilises the derived rule subst. Therefore in the 
following definition, we shall highlight only those reductions that involve (co-)induction and equality rules. 
The complete list of reduction rules can be found in Appendix [A] 

To ease presentation, we shall use the following notations to denote certain forms of derivations. The 
derivation 

iii n„ n 

Ai — » Bi ■■■ A n ^B n T^C 
Ai,...,A n ,r— >c 

is abbreviated as mc(IIi, . . . , II„, II). Whenever we write mc(Hi, . . . , II n , II) we assume implicitly that the 
derivation is well- formed, i.e., II is a derivation ending with some sequent T — > C and the right-hand side 
of the end sequent of each IF is a formula F GT. Similarly, we abbreviated as Ids the derivation 

init 



B — > B 

and subst({Tl e }g) denotes a derivation ending with the rule subst with premise derivations {n e }g. 

Definition 9. We define a reduction relation between derivations. The redex is always a derivation S ending 
with the multicut rule 

iii n„ n 

Ai — > B\ ■■■ A„ — > B n Bi, . . . , B n , r — > C 

Ai,...,A n ,r— ►<? 



mc 



We refer to the formulas B\ , . . . , B n produced by the mc as cut formulas. 

If n = 0, S reduces to the premise derivation II. For n > we specify the reduction relation based on 
the last rule of the premise derivations. If the rightmost premise derivation II ends with a left rule acting 
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on a cut formula Bi , then the last rule of 11^ and the last rule of II together determine the reduction rules 
that apply. Following McDowell and Miller (25[, we classify these rules according to the following criteria: 
we call the rule an essential case when IT ends with a right rule; if it ends with a left rule or subst, it is a 
left- commutative case; if IT ends with the init rule, then we have an axiom case; a multicut case arises when 
it ends with the mc rule. When II does not end with a left rule acting on a cut formula, then its last rule 
is alone sufficient to determine the reduction rules that apply. If II ends with subst or a rule acting on a 
formula other than a cut formula, then we call this a right- commutative case. A structural case results when 
II ends with a contraction or weakening on a cut formula. If II ends with the init rule, this is also an axiom 
case; similarly a multicut case arises if II ends in the mc rule. For simplicity of presentation, we always show 
i = 1. 

We show here the cases involving (co-)induction rules. 



Essential cases:. 

eqC/eqJZ Suppose III and II are 



IF 

B 2 p, ■ ■ -,B n p, Tp — > Cp 



QoJZ — — — — -p^- eq£ 



Ai— >s = t ^ 8 = t,B 2 ,...,B n ,r—>C 

Note that in this case, p in II ranges over all substitution, as any substitution is a unifier of s and t. Let Si 
be the derivation mc(Il2, . . . , II„, subst({H p } p . In this case, S reduces to 

A 2 ,...,A^,r— >c 

wjC 



Ai,A 2) ...,A„,r— >c 



We use the double horizontal lines to indicate that the relevant inference rule (in this case, wC) may need 
to be applied zero or more times. 



YJZ/IC Suppose III and II are, respectively, 



n'i ii s n' 

A 1 ^DXPt DSy^Sy St,B 2 ,...,B n ,T-+C 

Ax-^pt P t,B 2 ,...,B n ,r 

where px — Dpx and X p is a new parameter. Then S reduces to 

mc(mc(n' lP [(Tls, S)/X% U s [t/y]), U 2 , . . . , n„, II'). 



CTR./CIC Suppose III and II are 



n 'i lis n' 

Ai — >St Sy^DSy DXPt,...,T — >• C 

— — cm zr- 1 — ■ CIC 

Ai — >pt pt,...,T — >C 

where px = Dpx and X p is a new parameter. Then S reduces to 

mc(mc(ni,n s [r/yi),n 2 , . . . ,n„,n'[(n s , s)/x p }). 

Left- commutative cases:. In the following, we suppose that II ends with a left rule, other than {cC, wC}, 
acting on B\. 



!£/ o £ Suppose IT is 



n s n i 

DSy — >Sy St,A[ — > B x 
pt,A[ — 
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where px = Dpx. Let Si = mc(II' 1 , II2, . . . , IT n , II. Then 5 reduces to 

n s Si 

DSy^Sy S t, A[, . . . , A n ,T — ► C 



Right-commutative cases:. 



-/LC Suppose II is 



p^A' 1 ,...,A„ — >C 



n s n' 

DSy^Sy B x , . . . ,B n , S t,F — ► C 



I£ 



Bi,...,^,^'— >c 

where pa; = Dpx. Let Si = toc(IIi, . . . , II„, II'. Then S reduces to 

lis S i 

Ai, . . . , A ra , 5* t, r' — » C 

Ai,...,A n ,p<;r'— >c 



LC 



LC 



—/GTR Suppose IT is 



n' n s 

B 1 ,...,B n ,T^St Sy^DSy 



Bi,... ,B n ,T — > pt 
where px = Dpx. Let Si = mc(ITi, . . . , IT„, II'. Then S reduces to 

Si n s 

A 1 ,...,A n ,T—>St Sy-^DSy 



cm 



Ai,...,A„,r — >p* 



cm 



It is clear from an inspection of the inference rules in Figure Q] and the definition of cut reduction (see 
Appendix [X]) that every derivation ending with a multicut has a reduct. Note that since the left-hand side 
of a sequent is a multiset, the same formula may occur more than once in the multiset. In the cut reduction 
rules, we should view these occurrences as distinct so that no ambiguity arises as to which occurrence of a 
formula is subject to the mc rule. 

The following lemma shows that the reduction relation is preserved by eigenvariable substitution. The 
proof is given in Appendix [B] 

Lemma 9. Let IT be a derivation ending with a mc and let 9 be a substitution. If H6 reduces to S then there 
exists a derivation II' such that S = H'O and II reduces to IT'. 



4-2. Normalizability 

Definition 10. We define the set of normalizable derivations to be the smallest set that satisfies the following 
conditions: 

1. If a derivation IT ends with a multicut, then it is normalizable if every reduct of IT is normalizable. 

2. If a derivation ends with any rule other than a multicut, then it is normalizable if the premise derivations 
are normalizable. 

The set of all normalizable derivations is denoted by NM. 

Each clause in the definition of normalizability asserts that a derivation is normalizable if certain (possibly 
infinitely many) other derivations are normalizable. We call the latter the predecessors of the former. Thus 
a derivation is normalizable if the tree of its successive predecessors is well-founded. We refer to this well- 
founded tree as its normalization. Since a normalization is well-founded, it has an associated induction 
principle: for any property P of derivations, if for every derivation IT in the normalization, P holds for every 
predecessor of IT implies that P holds for IT, then P holds for every derivation in the normalization. We 
shall define explicitly a measure on a normalizable derivation based on its normalization tree. 
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Definition 11 (Normalization Degree). Let II be a normalizable derivation. The normalization degree 
o/II, denoted by nd(Il), is defined by induction on the normalization of II as follows: 

nd(Il) = 1 + lub({nd(n') | iTis a predecessor of II}) 

The normalization degree of II is basically the height of its normalization tree. Note that nd(H) can be an 
ordinal in general, due to the possibly infinite-branching rule eq£. 

Lemma 10. // there is a normalizable derivation of a sequent, then there is a cut-free derivation of the 
sequent. 



PROOF. Similarly to [25J. □ 



In the proof of the main lemma for cut elimination (Lemmal2ip we shall use induction on the normalization 
degree, instead of using directly the normalization ordering. The reason is that in some inductive cases in the 
proof, we need to compare a (normalizable) derivation with its instances, but the normalization ordering does 
not necessarily relate the two, e.g., II and 119 may not be related by the normalization ordering, although 
their normalization degrees are (see Lemma H^I . Later, we shall define a stronger ordering called reducibility, 



which implies normalizability. In the cut elimination proof for FO\ AJN |25| . in one of the inductive cases, an 
implicit reducibility ordering is assumed to hold between derivation II and its instance H9. As the reducibility 
ordering in their setting is a subset of the normalizability ordering, this assumption may not hold in all cases, 
and as a consequence there is a gap in the proof in [25[ 

The next lemma states that normalization is closed under substitutions. 

Lemma 11. If II is a normalizable derivation, then for any substitution 9, 119 is normalizable. 

Proof. By induction on nd(U). 

1. If II ends with a multicut, then 119 also ends with a multicut. By Lemma [9] every reduct of H9 
corresponds to a reduct of II, therefore by induction hypothesis every reduct of 119 is normalizable, and 
hence 119 is normalizable. 

2. Suppose II ends with a rule other than multicut and has premise derivations {IL}. By Definition [5] each 
premise derivation in 119 is either or IL;0. Since n is normalizable, is normalizable, and so by the 
induction hypothesis Hi9 is also normalizable. Thus H9 is normalizable. □ 

The normalization degree is non-increasing under eigenvariable substitution. 

Lemma 12. Let n be a normalizable derivation. Then nd(Il) > nd(H9) for every substitution 9. 

Proof. By induction on nd(U) using Definition [5] and Lemma |9] Note that nd(U9) can be smaller than 
nd(Tl) because substitution may reduces the number of premises in eq£, i.e., if n ends with an eq£ acting 
on, say x = y (which are unifiable) , and 9 is a substitution that maps x and y to distinct constants then 119 
ends with eq£ with empty premise. □ 



4-. 3. Parametric reducibility 

In the following, we shall use the term "type" in two different settings: in categorizing terms and in 
categorizing derivations. To avoid confusion, we shall refer to the types of terms as syntactic types, and the 
term "type" is reserved for types of derivations. 

Our notion of a type of a set of derivations may abstract from particular first-order terms in a formula. 
This is because our definition of reducibility (candidates) will have to be closed under eigenvariable substi- 
tutions, which is in turn imposed by the fact that our proof rules allow instantiation of eigenvariables in the 
derivations (i.e., the eq£ and the subst rules). 



5 This gap was fixed in ;52j by strengthening the main lemma for cut elimination. Recently, Andrew Gacek and Gopalan 
Nadathur proposed another fix by assigning an explicit ordinal to each reducible derivation, and using the ordering on or- 
dinals to replace the reducibility ordering in the lemma. A discussion of these fixes can be found in the errata page of the 
paper [251 : http://www.lix.polytechnique.fr/Labo/Dale.Miller/papers/tcsOO.errata.html We essentially follow Gacek 
and Nadathur's approach here, although we assign ordinals to normalizable derivations rather than to reducible derivations. 



16 



Definition 12 (Types of derivations). We say that a derivation II has type C if the end sequent of II 
is of the form F — > C for some T. Let F be a term with syntactic type a,\ — ¥ ■ ■ ■ — > a n — > o, where each 
oti is a syntactic efo-type. A set of derivations S is said to be of type F if every derivation in S has type 
F u\ . . .u n for some terms u\, . . . , u n . Given a list of terms u = u\ : a,\, . . . , u n : a n and a set of derivations 
S of type F : oti — > ■ ■ ■ — y a n — > o, we denote with S u the set 

S u = {n e S | n has type F u } 
Definition 13 (Reducibility candidate). Let F be a closed term having the syntactic type a.\ — > • • • —> 



a n -> 
hold: 


o. A set of derivations 1Z of type F is said to be a reducibility candidate 


of type F if the following 


CRO 


If n e TZ then m e TZ, for every 9. 




CR1 


If II 6 1Z then II is normalizable. 




CR2 


If n e ^ and n reduces to n' then II' 6 ^. 




CR3 


If II ends with mc and all its reducts are in TZ, then II G TZ. 




CR4 


If II ends with init, then H E TZ. 




CR5 


If II ends with a left-rule or subst, then all its minor premise derivations are normalizable, and all its 
major premise derivations are in TZ, then II G TZ. 



We shall write TZ : F to denote a reducibility candidate TZ of type F. 



The conditions CR1 and CR2 are similar to the eponymous conditions in Girard's definition of re- 
ducibility candidates in his strong normalisation proof for System F (see [l8j], Chapter 14). Girard's CR3 
is expanded in our definition to CR3, CR4 and CR5. These conditions deal with what Girard refers to as 
"neutral" proof term (or, in our setting, derivations). Neutrality corresponds to derivations ending in mc, 
init, subst, or a left rule. 

The condition CRO is needed because our cut reduction rules involve substitution of eigenvariables in 
some cases (i.e., those that involve permutation of eq£ and subst in the left/right commutative cases), and 
consequently, the notion of reducibility (candidate) needs to be preserved under eigenvariable substitution. 

Let S be a set of derivations of type B and let T be a set of derivations of type C. Then S T denotes 
the set of derivations such that II G S T if and only if II ends with a sequent F — > C such that B G F 
and for every S G S, we have mc(2, II) G T ■ 

Let S be a closed term. Define NM5 to be the set 

NM S = {II I II G NM and is of type Su for some u}. 
It can be shown that NM5 is a reducibility candidate of type S. 

Lemma 13. Let S be a term of syntactic type ct\ —>•••—> a n — > o. Then the set NM5 is a reducibility 
candidate of type S . 

Proof. CRO follows from Lemma [TT1 CR1 follows from the definition of NMj, and the rest follow from 
Definition [TUl □ 

Definition 14 (Candidate substitution). A candidate substitution SI is a partial map from parameters 
to triples of reducibility candidates, derivations and closed terms such that whenever Vl(X p ) = (TZ, II, S), we 
have 

• S has the same syntactic type as p, 



3 From now on, we shall assume that the oti are always efo- types. 
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• 1Z is a reductibility candidate of type S, and 

• cither one of the following holds: 

— px = B px and II is a normalizable derivation of B S y — > S y , or 

— px = B px and II is a normalizable derivation of S y — > B S y. 

We denote with supp(tt) the support of f2, i.e., the set of parameters on which f2 is defined. Each candidate 
substitution fi determines a unique parameter substitution 0, given by: 

e(X p ) = (II, S) iff n(X p ) = (ft, II, S) for some K. 

We denote with Sub(£l) the parameter substitution obtained this way. We say that a parameter X p is 
fresh for ft, written X p #tt, if X p #Sub{fl). 

Notation. Since every candidate substitution has a corresponding parameter substitution, we shall often 
treat a candidate substitution as a parameter substitution. In particular, we shall write CT2 to denote 
C(Sub{n)) and lift to denote IL(Sub(Q)). 

We are now ready to define the notion of parametric reducibility. We follow a similar approach for 
FOX A1N [25|, where families of reducibility sets are defined by the level of derivations, i.e. the size of the 
types of derivations. In defining a family (or families) of sets of derivations at level k, we assume that 
reducibility sets at level j < k are already defined. The main difference with the notion of reducibility 
for FOX AJN , aside from the use of parameters in the clause for (co) induction rules (which do not exist in 
FOX AJN ), is in the treatment of the induction rules. 

Definition 15 (Parametric reducibility). Let Tk be the set of all formula of size k, i.e. {F \ \F\ = k}. 

The family of parametric reducibility sets REDc[ft], where C is a formula and 11 is a candidate substitution, 
is defined by induction on the size of C as follows. For each k 7 the family of parametric reducibility sets of 
level k 

{RED c [0]} Ce ^ 
is the smallest family of sets satisfying, for each C G Tk' 

PI Suppose C — X p u for some u and some parameter X p . If X p E supp(fl) then REDc[0] = 1Z u, where 
n(X p ) = (K, n s , S). Otherwise, RED C [S1] = NM X p u. 

Otherwise, C ^ X p u, for any u and X p . Then a derivation II of type CH is in REDp[0] if it is 
normalizable and one of the following holds: 

P2 II ends with mc, and all its reducts are in REDc^H]- 

P3 II ends with D TZ, i.e., C = B D D and II is of the form: 

IT 

T,BQ — > DQ 



r — > BQ, D DO, 
and for every substitution p, U'p e (RED Bp [fi] RED Dp [fi]). 
P4 II ends with 17?., i.e., 

n' 

1/c, where px — B px 

r — > pt 

without loss of generality, assume that X p #f2: for every reducibility candidate (S : I), where / is a 
closed term of the same syntactic type as p, for every normalizable derivation II/ of B I y — > I y, if 
for every u the following holds: 

Tlj[u/y\ € (■RET> {BXPS) [n,(S,Il I ,I)/X p }^S u) 

then 

mc(U , [(U I ,I)/X p ],U I [t/y\) &St 
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P5 n ends with CTR, i.e., 

IT LI/ 

r — > It Iy — ► BIy 

CITZ, where px = B px 

r — > pt 

and there exist a parameter X p such that X p #il and a reducibility candidate (S : 7) such that II' G S 
and 

H/P/j/j G (5it^RED BXP a[fi,(5,nj,/)/X ? ']) for every w. 

P6 II ends with any other rule and its major premise derivations are in the parametric reducibility sets of 
the appropriate types. 

We shall write REDc, instead of REDc[f2], when the supp(Q) of a candidate substitution is the empty set. 
A derivation II of type C is reducible if II G REDc- 



Some comments and comparison with Girard's definition of parametric reducibility for System F 18[ are 
in order, although our technical setting is somewhat different from that of Girard: 



Condition P3 quantifies over p. This is needed to show that reducibility is closed under substitution 
(see Lemma [T5)) . A similar quantification is used in the definition of reducibility for FOX AJN [25| for the 
same purpose. In the same clause, we also quantify over derivations in REDs p [f2], but since Bp has 
smaller size than B D D, this quantification is legitimate and the definition is well-founded. Note also 
the similar quantification in P4 and P5, where the parametric reducibility set RED p f[r2] is defined 

in terms of TLED, BXP ^ [fi]. By Lemma [l] \pi\ > \B X p t\ so in both cases the set RED^ B XP a [f2] is 
already defined by induction. It is clear by inspection of the clauses that the definition of parametric 
reducibility is well-founded. 

Clauses P2 and P6 are needed to show that the notion of parametric reducibility is closed under left- 
rules, id and mc, i.e., condition CR3 - CR5. This is also a point where our definition of parametric 



reducibility diverges from a typical definition of reducibility in natural deduction (e.g., [181] )■ where 
closure under reduction for "neutral" terms is a derived property. 

P4 (and dually P5) can be intuitively explained in terms of the second-order encoding of inductive 
definitions. To simplify presentation, we restrict to the propositional case, so, P4 can be simplified as 
follows: 

Suppose LI ends with I1Z, i.e., 

n' 

r_ »5P „ 

— Y > — I/v, where p = Bp 

without loss of generality, assume that X p #£l: for every reducibility candidate (S : I), where 
/ is a closed term of the same syntactic type as p, for every normalizable derivation LI/ of 
B I — > I, if 11/ G (BED B xpP,(S,U i ,I)/X p ] =»5), then mc(Il'[(n I ,I)/X p },Il I ) G S. 

Note that in the propositional Line - , the set 

RED/jxp[^,(5,n/,/)/A p ] 

is equivalent to RET>b xpdxp[^, (<?, LT/, I)/X p ], i.e., a set of reducible derivations of type B I D I. So, 
intuitively, LI' can be seen as a higher-order function that takes any function of type B I D I (i.e., the 
derivation LI/), and turns it into a derivation of type I (i.e., the derivation mc(H'[(Ili , I) /X p ],Hj)), 
for all candidate (S : I). This intuitive reading matches the second-order interpretation of p, i.e., 
VI, (B I D I) Z> /, where the universal quantification is interpreted as the universal type constructor 
and D is interpreted as the function type constructor in System F. 



19 



We shall now establish a list of properties of the parametric reducibility sets that will be used in the 
main cut elimination proof. The main property that we are after is one which shows that a certain set 
of derivations formed using a family of parametric reducibility sets actually forms a reducibility candidate. 
This will be important later in constructing a reducibility candidate which acts as a co-inductive "witness" 
in the main cut elimination proof. The proofs of the following lemmas are mostly routine and rather tedious; 
so we omit them here, but they can be found in Appendix |B| 

Lemma 14. //II € REDc*[f2] then II is normalizable. 

Since every II 6 REDc[f2] is normalizable, nd(H) is defined. This fact will be used implicitly in subse- 
quent proofs, i.e., we shall do induction on nd(H) to prove properties of REDc[fi]. 

Lemma 15. //II S REDc[f2] then for every substitution p, Hp S REDc p [57]. 

Lemma 16. Let il = [D,', (11, U s , S)/XP}. Let C be a formula such that X P #C. Then for every II, II G 
RED c [ft] if and only if lie RED c [fi']. 

Lemma 17. Let Q be a candidate substitution and F be a closed term of syntactic type a\ — > ■ ■ ■ — >• a„ — > o. 
Then the set 

K = {II | II e RED fS [0] for some u} 
is a reducibility candidate of type FQ. 

Lemma 18. Let fl be a candidate substitution and let X p be a parameter such that X P #Q. Let S be a 
closed term of the same type as p and let 

K = {II | II e RED ss [0] for some u}. 

Suppose [Q, (1Z, "J, Stt)/X p ] is a candidate substitution, for some Then 

RED c[s/XP] [f>] = RED c [0, (11, Stl)/X*\. 

4-4- Cut elimination 

We shall now show that every derivation is reducible, hence every derivation can be normalized to a 
cut-free derivation. But in order to prove this, we need a slightly more general lemma, which states that 
every derivation is in REDc[0] for a certain kind of candidate substitution fi. The precise definition is 
given below. 

Definition 16 (Definitional closure). A candidate substitution f2 is definitionally closed if for every X p € 
supp(tt), if fl(X p ) — (1Z, lis, S) then either one of the following holds: 

• px = Bpx, for some B and for every u of the appropriate syntactic types: 

u s [u/x] e heDbxpuM =>llu. 

• px = B px, for some B and for every u of the appropriate syntactic types: 

lis [u/x] elZu^ RED B X p a [fi] . 

The next two lemmas show that definitionally closed substitutions can be extended in a way that preserves 
definitional closure. 

Lemma 19. Let f2 = [O', (1Z, lis, S)/X p ] be a candidate substitution such thatpx = Bpx, Q' is definition- 
ally closed, and for every u of the same types as x, 

n s [u/x] e RED mpJ [!1]^Kh 

Then £1 is definitionally closed. 
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Proof. Let Y q e supp(fl). Suppose Cl(Y q ) = (5,11/,/). We need to show that 

n 7 [f/x| G RED Br , r [Q] ^St 

for every t of the same types as x. If = X p then this follows from the assumption of the lemma. 
Otherwise, Y q G supp(fi'), and by the definitional closure assumption on tt' , we have 

Ui[t/x\ e RED sy , t -[0'] => Sf 

for every t. Since X P #(B Y q t) (recall that definition clauses cannot contain occurrences of parameters), by 
Lemma [TBI we have RED B yq t - [f2'] = RED syg t -[17], and therefore the result. □ 

Lemma 20. Let Q = [Q' , (1Z, Us, S)/X p ] be a candidate substitution such thatpx = Bpx, f2' is definition- 
ally closed, and for every u of the same types as x, 

n s [u/x] eKu^ RED bxpu [fi] 

Then f2 is definitionally closed. 

Proof. Analogous to the proof of Lemma [T51 □ 

We are now ready to state the main lemma for cut elimination. 

Lemma 21. Let Q be a definitionally closed candidate substitution. Let II be a derivation ofB±, . . . , B n , T — > 
C, and let 

iii n„ 

Ai — > B X VL, ... , A„ — > B n n 
where n > 0, be derivations in, respectively, RED^ [fi], . . . , REDg^ [f2]. Then the derivation 3 

ni n„ un 

A! — > Bi_Q ■■■ A n — >5„ft Bifi, . . . , B n Q, Tfi — >■ Cft 
Ai,...,A„,rn— >CJ2 

is m REDcP- 

Proof. The proof is by induction on 

jw(s) = <ht (n),£|iHiVD(s)) 

i=l 

where ND(E) is the multiset {nd(Hi), . . . ,nd(H n )} of normalization degrees of LTi to LT„. Note that the 
measure M. can be well-ordered using the lexicographical ordering. We shall refer to this ordering as simply 
<. Note also that M. is insensitive to the order in which LL is given, thus when we need to distinguish one 
of the LTi, we shall refer to it as II i without loss of generality. The derivation S is in REDc[^] if all its 
rcducts are in REDc[fi]. 

CASE I: n = 0. In this case, S reduces to 1117, thus it is enough to show that that LTfi e REDc[f2]. This 
is proved by case analysis on C and on the last rule of II. 

1.1. Suppose C — X p t for some parameter X p and terms t. 

UX P g" supp(fl) then we need only to show that LIS1 is normalizable. This follows mostly straightforwardly 
from the induction hypothesis and Lemma 1141 The only interesting case is when II ends with CIC P on some 
Y q u such that Y q e supp(ft), i.e., II takes the form 

IT 

DY q u,T — > C 



mc 



CLC„. 

Y q u,Y —>C p 
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Suppose n(Yi) = (1Z, U s , S). Then IIS! = mc(mc(Id ss , Yl s [u/x\), iTfi). By CR4 we have that Id S u G 1Z, so 
by the definitional closure of S! and CR3, we have mc(ldsu, Us[u/x\) G RED dsu[&]- Since ht(n') < ht(n), 
and since IIS! = mc(mc(Ids a, Us[u/x\), ITfi), by the induction hypothesis, we have 1157 G REDc[S!], and 
therefore, by Lemma [TJJ 110 is normalizable. Note that this case is actually independent of the form of C. 

Otherwise, suppose X p G supp(Sl), and Q(X P ) = (lZ,Hs,S). Then there are several cases to consider, 
based on the last rule of II. In all cases, we need to show that IIS! £7Zt. Note that since IIS! is of type S t, 
ITS! G 1Z implies that ITS! G TZt. So in the following in some cases we need to show only that ITS! G 1Z. 

• II ends with init: then IIS! also ends with init and by CR4, IIS! G 1Z. 

• II ends with mc: This follows from the induction hypothesis and Lemma [T4l 

• II ends with ClC p : Suppose II ends with CLC P acting on a formula Y q u. If Y q g" supp(£l), then this 
follows immediately from the induction hypothesis and CR5. If Y q G supp(fl), then we use the same 
arguments as shown above. 

• II ends with subst or a left-rule other than CLC p : Suppose the premise derivations of the rule are 

{ r -M„, 

for some index set /. Then IIS! ends with the same left rule and has premise derivations {^iS!}^/. 

By the induction hypothesis, ^ G REDp, [S!] for every i G I, and by Lemma each ^ is also 
normalizable. The latter implies that IIS! is normalizable. Note that if ^ is a major premise derivation, 
then Ci = X p u for some u, and we have "I^S! G 1Z. Therefore, by CR5, we have that IIS! G 1Z. 

• Suppose II ends with ITZ P : 

W 

T^DX p t m 

r — > x p t 

where px = Dpx. Then IIS! = mc(IT'S!, ITs^/x]. From the induction hypothesis, we have that 
II'S! G RED DXP( -[!1]. This, together with the definitional closure of S!, implies that IIS! is indeed in 
Tit. 

1.2:. Suppose C ^ X p t for any parameter X p and any terms t. 

Most subcases follow easily from the induction hypothesis, Lemma [T4l and Definition [T51 The subcases 
where II ends with a left rule follow the same lines of arguments as in Case 1.1 above. We show here the 
non-trivial subcases involving right-introduction rules: 

1. 2. a. Suppose II ends with D TZ, as shown below left. Then IIS! is as shown below right. 

IT ITS! 

r, d — > c 2 rs!,CiS! — » c 2 s! 

r — >dDC 2 d7Z rs! — > CiS! d c 2 s! d n 

To show IIS! G REDc[S!], we need to show that IIS! is normalizable and that 

IT'S!6> G RED Cl e[S!] => RED C2 e[S!] (1) 

for every 9. Since ht(IT') < ht(II), by the induction hypothesis, ITS! G RED C2 [S!]. Normalizability of ITS! 
then follows immediately from this and Lemma H4l It remains to show that Statement [1] holds: 

Let 4' be a derivation in REDc^fO]. Let Si = ?tic(5', II'S!6>). Note that since parameter substitution 
commutes with eigenvariable substitution, n'S!^ = II'(9S!. Since ^(n'^) < ht(II') < ht(II) (Lemma |4]), by 
induction hypothesis, we have Si G REDc 2 e[S!]. In other words, Statement [T] holds for arbitrary 8, and 
therefore by Definition [HI ITS! G RED C [S!]. 
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I.2.b. Suppose II ends with 172., as shown below left, where pa? = Dpx. We can assume w.l.o.g. that X p #Sl. 



Then IIO is as shown below right. 



it it si 



r — > P t m — > P t 

To show that IISl G REDc [SI] , we need to show that LIS1 is normalizable (as before this easily follows from 
the induction hypothesis and Lemma and that 

m c((n'n)[(u s ,s)/x p },u s [t/x}) g nt (2) 

for every candidate (72. : S) and every lis that satisfies: 

Tl s [u/x] G REDbxpj [fi, (TZ,H S , S)/X p ] =*> Ku for every u. (3) 

Let SI' = p,(K,Tls,S)/X p ]. Note that since X p #Sl, we have U'Sl[(n s ,S)/X p ] = WSl'. So Statement [2] 
above can be rewritten to 

mc(U'Q',Ils[t/x\) eTZt. (4) 

By Lemma [19j we have that SI' is definitionally closed. Therefore we can apply the induction hypothesis 
to II' and SI', obtaining IL'fl' G RF,T) DXP t -[Sl']. This, together with definitional closure of SI', immediately 
implies Statement @] above, hence LIS! is indeed in REDc[S!]. 

I.2.C. Suppose II ends with CI72., as shown below left, where py = Dpy. Let S' = 50. Then LIS! is as 
shown below right. 

it n s rrsi u s si 

r — >st Sx — >dsx rsi — >s't s'x — >ds'x Qm 

r — > P t x rsi — >pt 

Note that LIS1 is normalizable, by the induction hypothesis and Lemma [T4l To show that nil G REDc[Sl] 
it remains to show that there exists a reducibility candidate (72. : S') such that 

(a) LI'S! G 72, and 

(b) H s n[t?/5] G Ku^REDbxpsP, (72,n 5 S!,S")/XP] for a new X p #Sl. 

Let 7? = {f | f £ RED52 [51]}. By Lemma [T71 7?. is a reducibility candidate of type S'. By the induction 
hypothesis, we have LI'S! G TZ, so 72. satisfies (a). Since substitution does not increase the height of derivations, 
we have that ht(IIs[u/f]) < ht(Ils), and therefore, by applying the induction hypothesis to n^js/i], we 
have mc(*,nsri[u/f]) G RED fl ss [Si] for every * G RED sa [SI]. In other words, 

U s Sl[u/x] G RED sc [fi] => REDflsj [SI]. 

Notice that RED g % [SI] is exactly TZ u. So the above statement can be rewritten to 

Tl s Sl[u/x] G IZu RED_dss [St]. 

By Lemma [TBI REDjj 5 [S!] = RED^ j P 3 [O, (72, IIsS!, S')/X p ], which means that TZ indeed satisfies con- 
dition (b) above, and therefore IIS! G REDp[S!]. 

CASE II: n > 0. To show that 5 G REDc [SI] m this case, we need to show that all its reducts are in 
REDc[Sl] and that 5 is normalizable. The latter follows from the former by Lemma H"4l and Definition [TU1 
so in the following we need only to show the former. 

Note that in this case, we do not need to distinguish cases based on whether C is headed by a parameter or 
not. To see why, suppose C = X p t for some parameter X p . If X p $ supp(Sl) then to show 3 G REDc[S!] we 
need to show that it is normalizable, which means that we need to show that all its reducts are normalizable. 
But since all reducts of S has the same type X p t, showing their normalizability amounts to the same thing 
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as showing that they are in REDc[51]- If X p G supp(fl), then to show 3 G REDc[51] we need to show that 
3 G 1Z. Then by CR3, it is enough to show that all reducts of 2 are in 1Z, which is the same as showing 
that all reducts of 3 are in REDc [51] . 

Since the applicable reduction rules to 5 are driven by the shape of nil, and since nil is determined by 
II, we shall perform case analysis on II in order to determine the possible reduction rules that apply to 5, 
and show in each case that the reduct of 3 is in the same parametric reducibility set. There are several main 
cases depending on whether II ends with a rule acting on a cut formula Bi or not. Again, when we refer to 
Bi 1 without loss of generality, we assume i = 1. 

In the following, we say that an instance of CIC P is trivial if it applies to a formula Y q u for some u, but 
Y q g" supp(il). Otherwise, we say that it is non-trivial. 

II. 1. Suppose II ends with a left rule, other than c£, wC and a non-trivial CIC P , on B\ and III ends with 
a right-introduction rule. There are several subcases depending on the logical rules that are applied to B\. 
We show here the non-trivial cases: 



D 1Z/ D C Suppose III and II are 



n i it n 



Ai.Bjn— >£i'fi B 2 ,...,T^B' 1 B",B 2 ,...,T — > C 

77, 777, 77 rr-^ 7=, 3 C. 



Ai — > B[Q D B'{Vl ' v B[D B", B 2 ,..., B n , T^C 

Let 3i = mc(n 2 , . . . , II n , II'Q. Then Si G RED^j [51] by induction hypothesis since ht(II') < ht(II) and 
therefore A4(3i) < .M(S). Since III G RED Bl [51], by Definition IT5| we have 

n; G RED s; [r2] RED s » [ft] 

and therefore the derivation 32 = mc(Si,ni) with end sequent Ai, . . . , A n , TCI — > B"il is in REDb"[0]. 

Let 3 3 = mc(3 2 ,n 2 ,...,n„,n"n). 

The reduct of 3 in this case is the derivation 5' : 

Ai, . . . , A n , rn, a 2 7 3 . . , A n , TQ — > CQ 
Ai, . . . , A n ,m ^ cn cC 

By the induction hypothesis, we have 53 G REDc [51], and therefore, by Lemma [TH it is normalizable. By 
Definition ITUI this means that 3' is normalizable and by Definition IT51 3' G REDc [51]. 



V£/yiZ Suppose ni and II are 



ni n' 

A! — > B'My/x] B[[t/x],B 2 ,...,B n ,r-+C 
Ai— ►Vz.-Bjfi 'ix.B' 1 ,B 2 ,...,B n ,Y — >C 

The reduct of 3 in this case is 

s / = mc(ni[*/y] > n 2 ,...,n n ,n / n). 

Since H[ G REDgjij^jP, by Lemma [T51 we have 

U[[t/y} G KED fl / [t/lB] [fi] 

Note that ht(n') < ht(n), so we can apply the induction hypothesis to obtain 5' G REDc[51]. 
eqTZ/eqC Suppose ni and n are 



IF 

B 2 p, . . . , B n p, Tp — > Cp 



eqTl - — - — -tt— F „ ' 9 eq£ 



Ai — >s = t ^ s = t,...,B n ,T — >C 
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Note that in this case s must be the same term as t, and therefore both are unifiable by any substitution. 
Let II' be the derivation: 

IF 

B 2 p, . . . , B n p, Tp — > Cp 



B 2 , . . . , B n , T — > C 



— subst 



and let Si = mc(Il2, . . . , n„,II'0. Since ht(n') = ht(II) and since the total size of cut formulas in Si is 
smaller than in S, by the induction hypothesis, we have Si e REDc[0]. Then the reduct of S in this case 
is the derivation S': m 

A 2 ,...,A„ 1 ,r^c 

wC 



Ai,A 2) ...,A„,r— >c 
which is also in REDc[J7], by the definition of parametric reducibility. 



YIZ/IC Suppose III and II are the derivations 



n'i ns n' 

Ai — >DX p t DSx — >Sx St,T — >C 
— — m - ■ LC 

Ai — >pt pt,T — >C 

where py = D py and X p is a new parameter not occuring in the end sequent of III (we can assume w.l.o.g. 
that X p #tt and that it does not occur either in the end sequent of LT). Then IF1 is the derivation 

u s n n'fi 
ds'x — > s'x s'trn — > cn 

- ■ I£ 

pt,m — > cn 

where 5' = 50. Let Si = mc(II' 1 [(Il50, S')/X p ], Hsfl[t/x\. Then the reduct of S in this case is the derivation 

s' = mc(Si,n 2 ,...,n„,n'o). 

Since h.t(Hs[u/x\) < ht(LT,s) < ht(II) by the induction hypothesis, we have 

Yl s n[u/g\ g REDdsj [0] RED 5 it [ft]. (5) 

Let K = | $ G RED5S [f2] for some u}. Then by Lemma [T71 1Z is a reducibility candidate of type S'. 
Moreover, by Lemma [TBI we have 

RED DSS [Q] = RED D XP a [fi, (K, n s fi, S')/X p ] . 

This, together with Statement [5] above, implies that 

U s n[u/x] e RED DXPS [0, (TZ,Ils^,S')/X p ] ^TZu (6) 

for every u. 

Since IL 6 RED pt -[Sl], it follows from Definition [151 that for every reducibility candidate (S : I) and IT/ 
such that 

Tli[u/x\ 6 RED flXPfl [n, (S,ILr,I)/X p ] ^Su for every u, 

we have 

mc(W 1 [{n Il i)/x p },n I [t/x}) est. 

Substituting 7Z for S, IT5O for 11/ and S' for /, and using Statement [5] above, we obtain: 

Si = Trw(IL'i[(IL s n,S')/X p ],lIsSl[t/$\) e TLt = RED st -[0]. 
Since ht(II') < ht(LT), we can then apply the induction hypothesis to conclude that S' 6 RED c[fi]. 
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CYIZ/CIC Suppose III and II are 



n i n s n' 

Ai^5f Sx^DSx DXPt,B 2 ,...,T — >C 

— - = cm — ^ — - — ■ clc 

Ai-.pt pt,B2,...,T—*C 

where py = D py and X p is a parameter not already occuring in the end sequent of II (and w.l.o.g. assume 
also X p #£l and X p not occuring in A< or _Bj). Then IIO is 



n'o 

£» xp t, B 2 n, . . . , ro — ► co 
pt,B 2 n,...,rn — ► cn 



cic. 



Since III € RED j*[f2], by Definition [T5l there exists a reducibility candidate (72. : S) such that 11^ G 1Z and 
such that for every u, 

u s [u/x\ e Uu^RE,T> DXPS [n,(n,n s ,s)/x p )]. 

Let n' = [Q,, (TZ,U S ,S)/X P }. Then by Lemma jO] SI' is definitionally closed. 

Let Si = 7710(11'!, Lis [i/x]). By the definitional closure of ft', we have that Si G RED flXP( -[fl']. 
The reduct of S in this case is the derivation 

s / = mc(Hi,n2,...,n n ,n / n'). 

Note that since X p does not occur in Aj or Bi, by Lemma [121 we have that 

Ui G RED Bi [Q] = REDb, [0'] 
for every i G {2, . . . , n}. Therefore, by induction hypothesis, we have that 

S' G REDc[fi']. 

But since X p is also new for C, we have REDc[f2'] = REDc[0], and therefore 

S' G RED c [fi]. 

II. 2. LI ends with a left rule, other than cC, wC and a non-trivial instance of CI£ p , acting on Bi, and Li! 
ends with a left-rule or subst. 

Note that in these cases, the reducts always end with a left-rule. The proof for the following cases abide 
to the same pattern: we first establish that the premise derivations of the reduct are either normalizable or 
in certain reducibility sets. We then proceed to show that the reduct itself is reducible by applying to the 
closure conditions of reducibility under applications of left-rules. For the latter, we need to distinguish three 
cases depending on C: If C = X p t for some X p G supp(Sl), then closure under left- rules is guaranteed by 
C5; if X p ^ supp(Q) then we need to show that the reduct is normalizable, and the closure condition under 
left-rules is guaranteed by the definition of normalizability. Otherwise, C is not headed by any parameter, 
and in this case, the closure condition follows from P6. We shall explicitly do these case analysis in one of 
the subcases below, but will otherwise leave them implicit. We show the non-trivial subcases only; other 
cases can be proved by straightforward applications of the induction hypothesis. 



D £■/ ° C Suppose LIi is 

ni ny 

A; — > Dx 7J 2 , A; — > Sift 



D C 



D 1 D D 2 ,A[ — ► BxSl 

Since LL G RED^JO], it follows from Definition [T5l that Tl[ is normalizable and II" G RED Bl [fi]. 

Let Si = mc(ll", n 2 , . . . , II„, LIO). Since nd(U") < nd(Ui), by induction hypothesis, Si G REDc[fi]. 
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The reduct of 3 in this case is the derivation : 



a; — > gi 



Aj,...,rn— >£>i £> 2 ,Ai,A 2 ,...,m— >cn 

r>i DD 2 ,Ai,A 2 ,...,rn— ^cii d£ 

Since II'i is normalizable, by Definition^Jthc left premise derivation of 3' is normalizable, and since reducibil- 
ity implies normalizability (Lemma I14[) . the right premise is also normalizable, hence 3' is normalizable. 
Now to show 3' G REDcfO], we need to distinguish three cases based on C: 

• Suppose C = X p t for some X p G supp(fl) and il(X p ) = (72., lis, S). Then we need to show that 
3' G IZt. This follows from Definition [T3l more specifically, from CR5 and the fact that Si G 
RED c [0] =1Zt. 

• Suppose C = X p t but X p £ supp(ft). Then we need to show that 3' is normalizable. But this follows 
immediately from the normalizability of both of its premise derivations. 

• Suppose C ^ X p t for any parameter X p and any terms t. Since Si G REDc[fl], by Definition fl5l we 
have 5' G RED c [fi]. 



eq£/ o C Suppose II i is as shown below left. Then the reduct of 3 in this case is shown below right, where 

3" = mc(n?,n 2 p,...,n nA n/jQ. 

IF l J EP 



eqC — — — — — eq£ 



s = t,A[ — > Bifi s = t,Ai,A 2) ...,rn — >cn 

3 P G REDc7p[^2] by the induction hypothesis (since nd(IIi) < nd(IIi) and the other measures are non- 
increasing). Hence, the reduct of 5 is in REDc[f2] by the definition of parametric reducibility. 



LC/o£ 



Suppose III is 

n s ni 

DSx — ^S'f St,A[ — > Bifi 



LC. 



pt, Ai — >• Bifi 

Since IT G REDb x [f2], we have that Us is normalizable and Ili G RED^j [O]. Let 3i be the derivation 

mc(n'i,n 2 ,...,n n ,no). 

Then 3i G REDbj [f2] by the induction hypothesis, since nd(IIi) < nd(IIi). Therefore the reduct of 3 



IC 



lis Si 
DSx — >Sx S u, A[, . . . , A n ,TQ — > CVt 

pn, Ai,...,A„,rn— >cn 

is also in RED C [fl] . 

11. 3. II ends with a left rule, other than c£, w£ and a non-trivial instance of CIC P , acting on B±, and III 
ends with mc or init; These cases follow straightforwardly from the induction hypothesis. 

11. 4. Suppose II ends with a non-trivial application of CIC P on B\. That is, B\ = X p t, for some X p G 
supp(Q) and some f, and II is 

n' 

DX p t,B 2 ,...,B n ,T -^C 



X p t,B 2 , ■ ■ ■ ,B n ,T — > c 



CIjC p 
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where px = Dpx. Suppose Q(X p ) = (U,U S ,S). Then Ufl is mc(mc(Id st -, Il s [t/x\), Il'Q. Let Si = 
mc(Hi, mc(Id S4 -, Ils[t/a?]). Note that Si has exactly one reduct, that is, 

S 2 = TOc(mc(Ili,Id st -),n5[f/f]). 

Note that mc(Hi, Id St -) also has exactly one reduct, namely, III . Since III G RF,D XP t -[f2] = IZt, this means, 
by CR3, that mc(IIi,Idcf) is in IZt. Since f2 is definitionally closed, we have that S 2 G RED^, XP g [57] . 
And since S 2 is the only reduct of Si, this also means that, by Definition IT51 Si G REDj-, XP £ [fi] . 

The reduct of S, i.e. the derivation mc(Si,LI 2 , . . . ,H n ,H'Q,) is therefore in REDc[f2] by the induction 
hypothesis. 

11. 5. Suppose II ends with wC or cC acting on B\, or init. Then IIf2 also ends with the same rule. The 
cut reduction rule that applies in this case is either —/wC, —/cC or —/init. In these cases, parametric 
reducibility of the reducts follow straightforwardly from the assumption (in case of init), the induction 
hypothesis and Definition [T5l 

11. 6. Suppose II ends with mc. Then IWl also ends with mc. The reduction rule that applies in this case 
is the reduction — /mc. Parametric reducibility of the reduct in this case follows straightforwardly from the 
induction hypothesis and Definition 1151 

11. 7. Suppose II ends with subst or a rule acting on a formula other than a cut formula. Most cases follow 
straightforwardly from the induction hypothesis, Lemma [T4l and Lemma [TS] (which is needed in the reduction 
case — /eq£ and —/subst). We show the interesting subcases here: 



—/YIZp Suppose LI ends with a non-trivial ITZ P , i.e., II is 



PL 

B 1 ,...,B n ,T ^ DXPt 
Si, ... , B n , L — > X p t 



where px — Dpx and X p G supp(Q). Suppose Q(X P ) — (TZ, lis, S). Then 1151 is the derivation mc(II'f2, ILj 
The reduct of S in this case is the derivation 

s' = mc(mc(n 1 ,...,n n ,n / Q),n s [f/£]). 

By the induction hypothesis, we have mc(Hi, . . . , LI„, Ll'fi) G RED D XP This, together with the defini- 
tional closure of ft, implies that S' G TZt = RED XP j*[f2]. 



—/ITZ Suppose II is 

IT' 

Bu...,B n ,T — > DX p t 

— — — — m 

Bt, ...,B n ,T — > pt 

where py = D py. Without loss of generality we can assume that X p is chosen to be sufficiently fresh (e.g., 
not occurring in f2, Ai, B\, etc.). Let Si = rnc(IIi, . . . , n„,II'f2. Then the reduct of 3 is the derivation S' 



a 1: . .., A n ,rn^ px p t 
Ai,...,A„,rfi — >pt 



m. 



To show that S' G REDc[f2], we first need to show that it is normalizable. This follows straightforwardly 
from the induction hypothesis (which shows that Si G RED D XP 4 - [Q] ) and Lemma 1141 It then remains to 
show that 

E 2 =mc(E 1 [(n s ,S)/X p ],Ils[t/x})eTlt 
for every reducibility candidate (TZ : S) and every Lis such that 

Yis[u/x] G RED DXPS [n,(TZ i n s ,S)/X p ] ^IZu, foreveryu. (7) 
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So suppose (n,U s ,S) satisfies Statement [7J above. Let tt' = [Q, (1Z,U S ,S)/X P ]. By Lemma [H Q' is 
dcfinitionally closed. Note that since we assume that X p is a fresh parameter not occuring in Bi, we have 
REDsJfi] = REDbJQ'] by Lemma [H and Il % [(Il s , S) / X p ] = n, e RED B( [fi'] by Lemma |SJ for every 
i G {1, . . . , n}. Therefore, by the induction hypothesis we have: 

E 1 [(U S ,S)/X P ] =mc(n 1 ,...,n„,n'0') eRED DXpf [fl']. 

This, together with the definitional closure of 0', implies that S2 G TZt. 



-/CICp Suppose IT ends with a non-trivial GIC P , i.e., II is 



IT 

B%, ■ ■ ■ ,B n ,DX p t,V — ► C 



CIC Z 



B\, ■ ■ ■ ,B n ,X p t,V — > C 

where px = Dpx and X p G supp{n). Suppose f?^) = (n,U s ,S). Then nO is 

mc(TOc(Id st -, U s [t/x\), II'O). 

Let Si = mc(Id Sf -, Ilg^/x]). By CR4, Id St - G TZt, and therefore, by definitional closure of f2, we have 
Si G RET) DXP f[f2]. The reduct of S in this case is 

mc(Si,ni,...,n„,n'fi) 

which is in REDc[f2] by the induction hypothesis. 



—/CI1I Suppose II is 

n' n s 

B 1 ,...,B n ,T — >St Sx — >DSx 
Bi,...,B n ,T — >pt 

where py = Dpy. Let S' — SQ. The derivation HQ in this case is 



cm 



irn u s n 

B&, . . . , B n n,TQ — >S't S'x — >DS'x 

— = cm 

Bifi, . . . , B n Q, m — >pt 

Let Si be the derivation mc(ni, . . . ,n„,n'Sl). By the induction hypothesis, Si G RED St -[57] and Hs^l G 
RED dsx [fi] 5 hence both Si and T\-s^ are also normalizable by Lemma H4l The reduct of S is the derivation 



Si u s n 
Ai,...,A n ,rn — -» s't s'x-^ds' 

Ai,...,A n ,ro — ►pt* 



cm. 



Let X p be a parameter fresh for il, L, Aj and Bi. 

To show that S' G REDc [f2] we must first show that it is normalizable. This follows from immediately 
from normalizability of Si and n^rj. Then we need to find a reducibility candidate (TZ : S') such that 

(a) Si G TZ, and 

(b) n s ii[u/x\enu^TiED DXPa [n,(n,u s ,s)/xp}. 

Let K = {$ I f e REDg,g[f2]}. As in case I.2.C, we show, using Lemma [171 that TZ is a reducibility 
candidate of type S'. By the induction hypothesis, we have Si G TZ, so TZ satisfies (a). Using the same 
argument as in case I.2.C we can show that TZ also satisfies (b), i.e. by appealing to the induction hypothesis, 
applied to lis- 

□ 
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Corollary 22. Every derivation is reducible. 

Proof. The proof follows from Lemma [2T1 by setting n = and fl to the empty candidate substitution. □ 

Since reducibility implies cut-elimination and since every cut-free derivation can be turned into a subst-hee 
derivation (LemmaQ, it follows that every proof can be transformed into a cut-free and su6st- free derivation. 

Corollary 23. Given a fixed definition, a sequent has a derivation in Line - if and only if it has a cut-free 
and subst-free derivation. 

The consistency of Line - is an immediate consequence of cut-elimination. By consistency we mean the 
following: given a fixed definition and an arbitrary formula C, it is not the case that both C and CdI are 
provable. 

Corollary 24. The logic Line - is consistent. 



5. Related work and conclusions 

Of course, there is a long association between mathematical logic and inductive definitions 1,] and in 
particular with proof-theory, starting with the Takeuti's conjecture, the earliest relevant entry for our pur- 
poses being Martin-L6f 's original formulation of the theory of iterated inductive definitions (23 |. From 
the representation of algebraic types Q and the introduction of (co)inductive types in system F 28l 16 1. 
(co)induction/recursion became mainstream and made it into type-theoretic proof assistants such as Coq 36] , 
first via a primitive recursive operator, but eventually in the let-rec style of functional programming lan- 



guages, as in Gimenez's Calculus of Infinite Constructions 17]. Unlike works in these type-theoretic settings, 
we put less emphasis on proof terms and strong normalization; in fact, our cut elimination procedure is actu- 
ally a form of weak normalization, in the sense that our procedure only guarantees termination with respect 
to a particular strategy, i.e, by reducing the lowest cuts in a derivation tree. Our notion of equality, which 
internalizes unification in its left introduction rule, departs from the more traditional notion of equality. As 
a consequence of these differences, it is not at all obvious that strong normalization proofs for term calculi 
with (co-)inductive types can be adapted straightforwardly to our setting. 

Baelde and Miller have recently introduced an extension of mulitplicative-additive linear logic with least 
and greatest fixed points 0, called /iMALL. In that work, cut elimination is proved indirectly via a second- 
order encoding of the least and the greatest fixed point operators into higher-order linear logic and via an 
appeal to completeness of focused proofs for higher-order linear logic. Such an encoding can also be used 
for proving cut elimination for Line - , but as we noted earlier, our main concern here is to provide a basis 
for cut elimination for (orthogonal) extensions of Line - with the V-quantifier, for which there are currently 
no known encodings into higher-order (linear) logic. Baelde has also given a direct cut-elimination proof for 
^VIALL 0. The proof uses a notion of orthogonality in the definition of reducibility, defined via classical 
negation, so it is not clear if it can be adapted straightforwardly to the intuitionistic setting like ours. 

Circular proofs are also connected with the proof-theory of fixed point logics and process calculi 4j| 51 1 , 



as well as in traditional sequent calculi such as in [8| ■ The issue is the equivalence between systems with local 
vs. global induction, that is, between fixed point rules vs. well-founded and guarded induction (i.e. circular 
proofs). In the traditional sequent calculus, it is unknown whether every global inductive proof can be 
translated into a local one. 

In higher order logic (co) inductive definitions are usually obtained via the Tarski set-theoretic fixed point 
construction, as realized for example in Isabelle/HOL [371 ] . As we mentioned before, those approaches are 
at odd with HOAS even at the level of the syntax. This issue has originated a research field in its own 
and we only mention the main contenders: in the Twelf system [49| the LF type theory is used to encode 
deductive systems as judgments and to specify meta-theorems as relations (type families) among them; a logic 
programming-like interpretation provides an operational semantics to those relations, so that an external 
check for totality (incorporating termination, well-modedness and coverage [Hot |40|) verifies that the given 
relation is indeed a realizer for that theorem. Coinduction is still unaccounted for and may require a switch 
to a different operational semantics for LF. There exists a second approach to reasoning in LF that is built on 
the idea of devising an explicit (meta-)meta-logic (M. u ) for reasoning (inductively) about the framework [481 ] . 
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It can be seen as a constructive first-order inductive type theory, whose quantifiers range over possibly open 
LF objects. In this calculus it is possible to express and inductively prove meta-logical properties of an 
object level system. M u can be also seen as a dependently-typed functional programming language, and 



as such it has been refined into the Delphin programming language 4J]. In a similar vein Beluga 41| is 



based on context modal logic 3J|, which provides a basis for a different foundation for programming with 
HOAS and dependent types. Because all of these systems are programming languages, we refrain from a 
deeper discussion. We only note that systems like Delphin or Beluga separate data from computations. This 
means they are always based on eager evaluation, whereas co-recursive functions should be interpreted lazily. 
Using standard techniques such as thunks to simulate lazy evaluation in such a context seems problematic 
(Picntka, personal communication). 

Weak higher- order abstract syntax (lpj is an approach that strives to co-exist with an inductive setting. 
The problem of negative occurrences in datatypes is handled by replacing them with a new type. Similarly 
for hypothetical judgments, although axioms are needed to reason about them, to mimic what is inferred by 
the cut rule in our architecture. Miculan et al.'s framework embraces this axiomatic approach extending 
Coq with the "theory of contexts" (ToC) . The theory includes axioms for the the reification of key properties 
of names akin to freshness. Furthermore, higher-order induction and recursion schemata on expressions are 
also assumed. Hybrid @, [22j is a A-calculus on top of Isabelle/HOL which provides the user with a Full 
HOAS syntax, compatible with a classical (co)-inductive setting. Line - improves on the latter on several 
counts. First it disposes of Hybrid notion of abstraction, which is used to carve out the "parametric" function 
space from the full HOL function space. Moreover it is not restricted to second-order abstract syntax, as 
the current Hybrid version is (and as ToC cannot escape from being). Finally, at higher types, reasoning via 
eq£ and fixed points is more powerful than inversion, which does not exploit higher-order unification. 

Nominal logic gives a different foundation to programming and reasoning with names. It can be presented 
as a first-order theory [42| . which includes primitives for variable renaming and freshness, and a (derived) 
"new" freshness quantifier. It is endowed of natural principles of structural induction and recursion over 
syntax [43j |. Urban et al. have engineered a nominal datatype package inside Isabelle/HOL [35| analogous to 
the standard datatype package but defining equivalence classes of term constructors. Co-induction/recursion 
on nominal datatypes is not available, but to be fair it is also currently absent from Isabelle/HOL. 

We have presented a proof theoretical treatment of both induction and co-induction in a sequent calculus 
compatible with HOAS encodings. The proof principle underlying the explicit proof rules is basically fixed 
point (co)induction. However, the formulation of the rules is inspired by a second-order encoding of least 
and greatest fixed points. We have developed a new cut elimination proof, radically different from previous 
proofs ([25|,[5l]), using a reducibility-candidate technique a la Girard. 

Consistency of the logic is an easy consequence of cut-elimination. Our proof system is, as far as we know, 
the first which incorporates a co-induction proof rule with a direct cut elimination proof. This schema can 
be used as a springboard towards cut elimination procedures for more expressive (conservative) extensions 
of Linc~, for example in the direction of FO\ v [31], or more recently, the logic LG^ [53| by Tiu and the 
logic Q by Gacek et al. [3] . 

An interesting problem is the connection with circular proofs, which is particularly attractive from the 
viewpoint of proof search, both inductively and co-inductively. This could be realized by directly proving 
a cut-elimination result for a logic where circular proofs, under termination and guardedness conditions 
completely replace (co)inductive rules. Indeed, the question whether "global" proofs are equivalent to "local" 
proofs [H is still unsettled. 

Acknowledgements The Line - logic was developed in collaboration with Dale Miller. We thank David 
Baclde for his comments to a draft of this paper. 
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A. The complete set of cut reduction rules 

Essential cases:. 



Mlj AC If III and II are 



n; K 

A 1 ^B[ Ai— 



ATI 



it 

b[,b 2 , . . . , s„, r 



c 



Ai — >• B[ A S" Si ASi',S 2 ,...,S„,r^C 

then 5 reduces to mc(IIi, II 2 , . . . ,n n ,n'. The case for the other AC rule is symmetric. 



AC 



VR/ V £ Suppose IT and II arc 
Hi 



it i n" 

Ai — > B[ B[, S 2 , ■ ■ ■ , S„,T — > C B" , S 2 , . ■ • , B n ,Y — >C 

VR- „, , , „„ „ 7; V£ 



Ai— >BivBi' Si VB?,B 2 ,...,B n ,T—>C 

Then S reduces to mc(ni, II 2 , . . . , II'. The case for the other V7£ rule is symmetric. 
D H/ D C Suppose III and II are 



Hi 

B[,A 1 — 



d 7e 



11' _ 11" 

s 2 ,...,s„,r — >• S^ S", S 2 , . . . , B n , r 



c 



Ai — > SJ d s" si d Si , s 2 , . . . , s„, r — > c 

Let Si = TOc(mc(II 2 , . . . , n„, II'), . Then S reduces to 



DC 



B'{ 



A, — > S s 



n" 



.;e{2..n} Bi',{Bi} i6{2 .. n} ,r— 



Ai,...,A„,r,A 2 ,...,A n ,r 



c 



mc 



Ai,. 



,A„,r 



c 



If III and II arc 



n' 



Ai — ■» Vs.Si 
then 5 reduces to mc(II' 1 [i/y], II 2 , . . . , n„,n'. 
If IIi and II are 

Hi 



IT 

B' 1 [t/x],B 2 ,...,B n ,T^C 
Vx.B' 1 ,B 2 ,...,B n ,r^C 



vc 



3K/3C 



Ai 



B'At/x] 



3K 



Ai — -> 3x.B[ 
then S reduces to mcijl'^, II 2 , . . . , II'[i/j/]. 



n' 

^[y/g;],g 2 ,...,B n ,r— »C 
3a;.Si,S 2 ,...,S n ,r^C 



3C 



ITZ/IC Suppose IIi and II are, respectively, 



Hi 



Ai 



DXPt 

— m 



n s ^ n' 

DSy—>Sy S t, S 2 , . . . , B n ,T 



C 



Ai —>pt pt,B 2 ,...,B n ,T — > C 

where px = Dpx and X p is a new parameter. Then S reduces to 

m C (mc(n' lP [(n s , s)/xp],n s [r/y]),n 2 , . . . , n„, n'). 



LC 
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CLY/CLC Suppose III and II are 



Ai— >5t Sy^DSy 



cm 



w 

Dxvt,...,r—> c 



Ai — >pt pt,...,T — >C 

where py = Dpy and X p is a new parameter. Then S reduces to 

mcMni , n s [t/y\ ) , n 2 , . . . , n„ , n' [(n s , s) /x p ] ) . 



Cl£ 



cqJZ/cqC Suppose III and II are 



Ai 



s = t 



eqlZ 



UP 

B 2 p,...,B n p,Tp — > Cp 
s = t,B 2 ,...,B n ,r^>C 



eq£ 



Note that in this case, p in II ranges over all substitution, as any substitution is a unifier of s and t. Let Si 
be the derivation mc(Il2, . . . , II„, subst({H p } p ) . Then S reduces to 



■=4 



Ai,A 2 ,...,A n ,r— 



w£ 



Left- commutative cases:. In the following cases, we suppose that II ends with a left rule, other than {c£, w£}, 
acting on B\. 



£/ o £ Suppose III is as below left, where •£ is any left rule except D C, cq£ 1 or I£. Let S l = 



mc(U\, II2, . . . , II n , II. Then S reduces to the derivation given below right. 

Ai,A 2 ,...rA n ,r^c 



ni 

A| — > Si 



Ai — ►Bi 



D £/ o £ Suppose IIi is 



•£ 



ni 



Ai,A 2) ...,A n ,r— >c 



n'v 



Let Si = mc(n", n 2 , . . . , II„, II. Then S reduces to 



D£ 



ni 

Ai -> £>i 



Ai,A 2 ,...,A n ,r— >£>i Bi',Ai,A 2 ,...,A„,L^C 



£>i DDi , ,A' 1 ,A 2 ,...,A„,r— 



!£/ o £ Suppose LIi is 



ni 



DSy^Sy St,A[^B 1 



l£ 



P t,A[ — >Bj 

where py = D py. Let Si = toc(II' 1 , n 2 , . . . , II„, II. Then S reduces to 

n s s i 
DSy^Sy St,A' 1 ,...,A n ,T — > C 

pt 7 A' 1 ,...,A n — ► C 



l£ 
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eq£/ o C Suppose III is as below left. Let ^ p = mc(II^, n 2 /o, . . . , II n( o, lip. Then S reduces to the derivation 



given below right. 



n? 



Ai/u — ► Sip 



eq£. 



s = t, A[ — > B 1 
subst/ o C Suppose 111 is subst({U p } p . Then H reduces to 



A[p, A 2 p, . . . , A n p, Tp — > Cp 
s = t,A[, A 2 ,...,A n ,r — > C 



eq£. 



su6st({mc(n P , n 2 p, . . . , n„p, lip)},. 



Right- commutative cases:. 



-/ o C Suppose II is as given below left, where where oC is any left rule other than D £, eq£, or IC acting 



on a formula other than B±, . . . , B n . Let S' = mc(IIi, . . . , n„, II 2 . Then s reduces to the derivation given 
below right. 



{gi,...,gn,r'— ^g}, { 

n n 7^ oC — 



Ai,...,A„,r* 



c 



Si, ... , B n , r — ;> c 



A 1; ...,A n ,r^c 



l - oC 



— j D C Suppose II is 



n' n" 

Bi,...,B n ,V — > D' Bi, . . . , B n , D", T' 



C 



D C 



B\, . . . , B n , D' D D", T' — > C 
Let Si = toc(IIi, . . . , II„, II') and let S 2 = mc(IIi, . . . , U n ,U". Then 5 reduces to 



Ai,...,A^r — >d' Ai,...,A„ri)",r'- -•: 



-/LC Suppose II is 



Ai, . . . , A„, D' D D" ,T' — ► C 



n s n' 

DSy^Sy B u . . . , B n , S t,V ^ C 



D C 



B 1 ,...,B n ,pt,V — >C 
where p y = D p y. Let Si = mc(IIi, . . . , II„, II'. Then S reduces to 

n s Si 
DSy^Sy A 1; . . . , A n , St, L' — >■ C 

Ai,...,A„,pt;r'— 



LC 



LC 



-/eq£ Suppose II is as shown below left. Let ^ p = mc(Hip, . . . , H„p, Tl p . Then S reduces to the derivation 



below right. 



IF 

Bip, B nP , T'p — »■ Cp 
B\, . . . , B n , s = t, r — >c 



eq£ 



A 1 p,...,A n p,T'p—tCp 
Ai,...,A„,3 = i,r' — >c 



eq£ 



—/subst If II = sw6si({n p } p ) then S reduces to sufrst({mc(IIip, . . . , II n p, n p )} p . 



-/ oTZ If II is as below left, where where oTZ is any right rule except CllZ, then S reduces to the derivation 



below right, where S* = mc(IIi, . . . , II n , IF. 

C" 



if 

Bi, . . . , s„, r 1 



Bi, . . . , B n , T — > C 



1 oil 



Ai,...,A„,L* 



C 4 



Ai,...,A„,r— >c 
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—/CTR Suppose II is 



Bi,...,B n ,r— »Sf Sy^DSy 
B 1 ,...,B n ,T^pt 
where p y = D p y. Let Si = mc(Hi, . . . , II„, II'. Then S reduces to 

Si n s 

A 1 ,...,A n ,r— >St Sy^DSy 



cm 



Ai,...,A n ,r — > P r 



cm 



Multicut cases:. 



mc/ o £ If II ends with a left rule, other than c£ and w£, acting on £>i and III ends with a multicut and 



reduces to 11^, then S reduces to mc(II / 1 , II 2 , . . . , II„, II. 



-/mc Suppose II is 

{{Bih 



IF 



} 

J je{i..m} {D^} je{1 .. m} ,{Bi} ier ,T' 



C 



B 1 ,...,B n ,T\...,T m ,T' — 



mc 



where I 1 ,..., I m , I' partition the formulas {-Bi}ie{i.. n } among the premise derivations III, . . . , II m ,n'. For 
1 < j < m let S J be 



Bi 



IP 



mc 



Then s reduces to 



{A,|, , .1 ' • IV 
he{i..m} {Aj-^fli}.^ ^ 



C 



A 1 ,...,A„,r 1 ,...r ro ,r'^c 



mc 



Structural cases: 



-/cC If II is as shown below left, then S reduces to the derivation shown below right, where si 



mc(ni,ni,n 2 ,...,n„,n'). 



n' -I 

Bi,Bi,B 2 , • • • , B n , T — > C Ai, Ai, A 2 , . . . , A n , A„, T — > C 

cC * — a a — ^ 7^ cC 



Bi,B 2 , . . . , B n , T — > C 



Ai,A 2 ,...,A n ,r— 



-/w£ If II is as shown below left, then S reduces to the derivation shown below right, where Si = 



mc(n 2 , . . . , n„,n'. 



n' 

£? 2 , . . . , B n , T — > C 



wC 



A 2 ,...,A n ,r— »-c 



Bi,B 2 , . . . , B n , r — > C Ai, A 2 , . . . , A„, r — > c 



wC 



Axiom cases:. 



init/ o £ Suppose II ends with a left-rule acting on B\ and III ends with the init rule. Then it must be the 



case that Ai = {B±} and S reduces to mc(Il2, . . . , Tl n , II. 



-/init If II ends with the init rule, then n = 1, V is the empty multiset, and C must be a cut formula, i.e., 



C = Bi. Therefore S reduces to IT. 



B. Proofs for Section 14.11 and Section 14.31 



Lemma [9j Let II be a derivation ending with a mc and let 9 be a substitution. If H9 reduces to 5 then 
there exists a derivation II' such that S = II' 8 and II reduces to II'. 

Proof. Observe that the redexes of a derivation are not affected by eigenvariable substitution, since the 
cut reduction rules are determined by the last rules of the premise derivations, which are not changed by 
substitution. Therefore, any cut reduction rule that is applied to 116* to get S can also be applied to II. 
Suppose that II' is the reduct of II obtained this way. In all cases, except for the cases where the reduction 
rule applied is either ITZ/IC, CIC/CITZ, or those involving eq£, it is a matter of routine to check that IT'6> = 5. 
For the reduction rules ITZ/IC and CIC/CITZ, we need Lemma|S] which shows that eigenvariable substitution 
commutes with parameter substitution. We show here the case involving eq£. The only interesting case is 
the reduction eqC/eqTZ. For simplicity, we show the case where n ends with mc with three premises; it is 
straightforward to adapt the following analysis to the more general case. So suppose II is the derivation: 

IF 

k Bp,Ip^Cp , , 
eqTZ . 112 _ — — ± eq£ 



Ai — >t = t A 2 — > B t = t,B,T — >C 

mc 



According to Definition [5j the derivation H6 is 



n (eop') 

U29 ,B0 P <,Te P <^ce P < )p , 

e Q'^- » a , r>n ,n _ ,o r>n T^n , ec l Z - 



Ai6» — >te = te ^ A 2 e — > bo te = te,Be,ie — >ce 

777 C 

A 1 e,A 2 e,re — > ce 

Let = mc {U 2 0,subst({U^} p ). The reduct of U0 in this case (modulo the different order in which the 
weakening steps are applied) is: 

A 2 9,T9 — > C9 

A 1 e,A 2 e,re — > ce wC 

Let us call this derivation S. 

Let = mc(U 2 ,subst({H p } p ). The above reduct can be matched by the following reduct of IT (using 
the same order of applications of the weakening steps): 

*' 

A 2 ,r-^c 

wC 



Ai,A 2 ,r— vC 

Let us call this derivation II'. By Definition [5J we have \&' = ^9, and obviously, also S = II' 6. □ 
Lemma 1141 IfU€ REDc[f2] then H is normalizable. 

Proof. By case analysis on C. If C = X p u for some u and X p G supp(il) then II 6 1Z, where 
il(X p ) = (lZ,Hs, S), hence it is normalizable by Definition Q2] (specifically, condition CR1). Otherwise, 
II is normalizable by Definition [15] □ 

Lemma 1151 //II g REDc[f2] then for every substitution p, Hp 6 RED(7 p [57]. 

Proof. By induction on \C\ with sub-induction on ne?(II). 

Suppose C — X q u, for some u and some X q e supp(Q), and suppose £l(X q ) = (TZ, 11$, S). Then II G 1Z 
by Definition [T21 By Definition Q2] (CRO) we also have Hp £ TZ. Otherwise, suppose X q supp(il). Then 
IT e NMji by Definition H31 By Lemma HU we have lip e NM X! , therefore lip G RED C/3 [0]. 

Otherwise, C ^ X q u for any u and any parameter X q . In this case, to apply the inner induction hypoth- 
esis, we need to show that ITp is normalizable, which follows immediately from Lemma [14] and Lemma 1111 
We distinguish several cases based on the last rule of IT: 
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• Suppose II ends with mc, i.e., II = mc(IIi, . . . , LI„, II') for some III, . . . , II„ and II'. By LemmaO every 
reduct of Lip, say 5, is the result of applying p to a reduct of II. By the inner induction hypothesis (on 
the normalization degree), every reduct of Lip is in RED^fn], and therefore lip is also in REDc P [12] 
by Definition [TS] (P2). 

• Suppose II ends with D 1Z, with the premise derivation II'. In this case, C = B D D for some B and 
D. Since II G REDc[12], we have that (P3) 

W6 G (RED B e [0] RED m [SI] ) (8) 

for every 9. We need to show that H' p8 G (RED Bp ^] =^ RED£> p ,5 [12] ) for every 5. Note that by 
Lemma[5] LL'pd = LL'(p o S), so this is just an instance of Statement [5] above. 

• II ends with LTZ or CL7Z: This follows from Definition [15] and the fact that reducibility candidates are 
closed under substitution (condition CRO in Definition [T5|) . In the case where II ends with LTZ, we 
also need the fact that eigenvariable substitution commutes with parameter substitution (Lemma [7]) . 
In the case where II ends with CI7?., to establish Hp G REDc p [12], we can use the same reducibility 
candidate which is used to establish IT G REDc [St] . 

• II ends with a rule other than mc, D 1Z, LTZ or CTR: This case follows straightforwardly from the 
induction hypothesis. 

□ 

Lemma [16J Let SI = [SI', (11, Us, S)/X p ]. Let C be a formula such that XP#C. Then for every U, 
n e RET> c [Sl] if and only if lie RED c [0']. 

Proof. By induction on |C| with sub-induction on nd(H). 

Suppose C = Y q u for some Y q G supp(Sl) and suppose Sl(Y q ) — {TV, II/,/). Since X P #C, this means 
that Y q G supp(Sl') and Sl'{Y q ) = Sl(Y q ). Then obviously, n G RED C [SI] iff II G RED C [^']. If Y q g 
supp(Sl), then obviously RED c [0] = NMy, u = REDc [12']. 

Otherwise, suppose C ^ Y q u, and II G REDc [12]. The latter implies that II is normalizable. We show, 
by induction on rwi(II) that II G REDc [12']. In most cases, this follows straightforwardly from the induction 
hypothesis. We show the interesting cases here: 

• Suppose LI ends with D 1Z, i.e., C = B D D for some B and D and II is of the form: 

IT 

T,BSl — > DSL 
— ■ D TZ 

r — > BSl D DSl ^ 

Note that since X P #C, we have that BSl = BSl' and DSl = DSl'. Since II G RED C [12], we have 

IL'p e (RED Bp [12] => RED Dp [12]) 

for every p. Since \B\ < \C\ and \D\ < \D\, by the (outer) induction hypothesis, we have REDb p [12] = 
RED B p[12'] and REDi3 p [12] = RED Dp [12']. Therefore, we also have that 

IL'p G (RED Sp [12'] REDr, p [12']) 

for every p. This means, by Definition fTS] that II G (REDc [12']. 

• Suppose LI ends with LTZ: 

LL' 

r > DY q t 

^ J LTZ 

I — > qt 

where qx = Dqx and Y q is a new parameter. Since we identify derivations which differ only in the 
choice of internal variables and parameters, we can assume without loss of generality that Y" 9 #12. Note 
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that since the body of a definition cannot contain occurrences of parameters, we also have X P #D Y q t. 
Suppose S is a reducibility candidate of type /, for some closed term I of the same syntactic type as 
and suppose 11/ is a normalizable derivation of D I y — > I y such that 

IlxP/tfl G (RED (2?y3S) [0 , ,(5,n J ,/)/r«]^5u) (9) 

for every u of the appropriate types. To show that II G (REDc[0'j we need to show that 

mc(u'[(u I ,i)/Y q ],u I [t/y\) g st 

Since \{DY q u)\ < \pt\ by Lemma [I] we have, by the outer induction hypothesis, 

RED (Dy , aj [fi', (5, Hj, 2)/y«] = RED (D y , a) [fi, (5, n 7 , /)/y»] 
Hence, by Statement |H1 we also have 

n/p/jfl g (KED (IJ jr, iI )[n,(5 J nj,i)/y«]=*.5a) 

for arbitrary u. Now since II G (REDc[J7] (from the assumption), this means that 

mc(n'[(nj, J)/Y*],nj[t7#|) g s? 

and therefore II is indeed in REDp [fl'] . 
Suppose II ends with CI7£: 



n' il 

r — ► !* Jy — >BIy 



cm 



r — > qt 

where qx = B qx. Since II G REDc[fi], by Definition [i~5l (P4) , there exist a parameter Y" 9 such that 
Y q #VL and a reducibility candidate (S : I) such that II' G S and 

U'[u/y\ G (55=> RED B y 9 fl[fi, (5, IIj, 7)/F 9 ]) (10) 

for every u. To show II G REDc[^'] we need to find a reducibility candidate satisfying P4. We simply 
use <S as that candidate. It remains to show that 

n'p/jfi g (5S^RED Bytfl [n',(5,n ; ,/)/y«]) 

This follows from Statement (|10[) above and the outer induction hypothesis, since 

red b yq a [n, (5, n z , = red BY9 3 pi', (5, n /9 

The converse, i.e., II G REDc[fi'] implies II G REDc[f2], can be proved analogously. In particular, in 
the case where II ends with CTR., we rely on the fact that the choice of the new parameter Y q is immaterial, 
as long as it is new, so we can assume without loss of generality that Y q ^ X p . □ 

Lemma 1171 Let be a candidate substitution and F a closed term of type ct\ a n — > o. Then the 

set TZ = {II | II G REDp jj[f2] for some u} is a reducibility candidate of type FQ. 

Proof. Suppose F — X p for some X p G supp(Fl) and suppose f2(X p ) = (<S, II, F). Then in this case, we 
have TZ = S, so TZ is a reducibility candidate of type F by assumption. If F = X p but X p £ supp(£l) then 
in this case 7Z — NM^p, and by Lemma [T51 TZ is also a reducibility candidate. 

Otherwise, F ^ X p for any parameter X p . We need to show that 1Z satisfies CRO - CR5. CRO follows 
from Lemma [151 CR1 follows from Lemma [Ml and the rest follow from Definition [15j □ 
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Lemma 1181 Let £1 be a candidate substitution and let X p be a parameter such that X p #fl. Let S be a 
closed term of the same type as p and let 

TZ = {U | n G REDs ,-;[£!] for some u}. 

Suppose [Q, (TZ,^S , SQ) / X p ] is a candidate substitution, for some 'J'. Then 

red c[s/xp] [n] = RED c [r>, (tz, * , sn)/x p }. 

PROOF. By induction on \C\. If C = X p u, then 

RED c [fi, (TZ, <L, Sn)/X p ] =Ku = RED ss [ft] 

by assumption. The other cases where C is Y q u for some parameter Y q ^ X p are straightforward. So 
suppose C 5^ Y q u for any u and any parameter Y q . We show that for every II, II £ REDcp/xp] [^] iff 
II G RED c [f2, (TZ, Sn)/X p }. Note that if X p does not occur in C then C[S/X P ] = C, and by LemmaQl 
we have 

RED c[s/XP] [fi] = RED c [fi] = R-ET> c [n,(TZ,y,Sn)/X p }. 
So assume that X p is not vacuous in C. Let Q' = [tt, (TZ, Sn)/X p }. 

• Suppose LT G 'REDc[s/xp] [&]• Then II is normalizable. We show, by induction on nd(U), that 
LT G REDc[f2']. Most cases follow immediately from the induction hypothesis. The only interesting 
case is when LT ends with D TZ, where C = B D D, for some B and D, and LT takes the form: 

IT 

v,B[s/x p ]n — > D[s/x p ]n 
r — > B[s/x p }n 5 D[s/x p ]n D 

Since LT G RED C [ S /jf P ][fl], we have that 

U'p G (RET> B[s/XP]p [n] => KED D [ S /x,]pM) 
for every p. By the outer induction hypothesis (on the size of C), we have 

U'p G (RED Bp [0'] => RED Dp [0']) 

hence n G RED c [0']. 

• The converse, i.e., LI G REDc[f2'] implies II G RED C [ S /xp][JI], can be proved analogously. 

□ 



42 



